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(54) Secure processor with external memory using block chaining and block re-ordering 



(57) A scrambled data transmission is descrambted 
by communicating encrypted program information and 
authentication information between an external storage 
device and block buffers of a secure circuit The pro- 
gram information is communicated in block chains to 
reduce the overhead of the authentication information. 
The program information is communicated a block at a 
time, or even a chain at a time, and stored temporarily in 
block buffers and a cache, then provided to a CPU to be 
processed. The blocks may be stored in the external 



storage device according to a scramt)led address sig- 
nal, and the bytes, blocks, and chains may be further 
randomly re-ordered and comnruinicated to the block 
buffers non*sequentially to obfuscate the processing 
sequence of the program information. Program informa- 
tion may be also be communicated from the secure cir- 
cuit to the external memory. The program information 
need not be encrypted but only authenticated for secu- 
rity 
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Des^cription 

BACKGROUND OF THE INVENTION 

[0001] The present invention relates to an apparatus 
for efficiently and securely transferring blocks of pro- 
gram information between a secure circuit and an exter- 
nal storage device. The program information is 
communicated in block chains for more robust encryp- 
tion, execution obfuscation, and to reduce authentica- 
tion data overhead. 

[0002] In one embodiment, the program information is 
encrypted and optionally autiienticated in cipher block 
chains. 

[0003] In another embodiment, the program informa- 
tion is authenticated and optionally encrypted in block 
chains. Block chains greatiy reduce authentication data 
overhead. Address scrambling may be used for height- 
ened security. 

[0004] Re-ordering of fields such as blocks or bytes 
witiiin each chain, as well as among entire chains, may 
further be used to provide even more security 
[0005] In anotfier embodiment, blocks of program 
information are provided to tiie secure circuit to gener- 
ate a key The key may be used to decrypt a data trans- 
mission. 

[0006] The invention is particularly suitable for deter- 
ring the copying and reverse engineering of proprietary 
software algorithms, and for securing cryptographic 
applications such as the descrambling of pay television 
programs or the like. 

[0007] The following definitions are provided: 
Secure Circuit: 

[0008] A secure circuit is a cryptographic integrated 
circuit (IC) in which no one. not even tiie owner, has 
access to the internal buses, registers, and otiier cir- 
cuitry contained within tiie IC. The IC may hold sensitive 
key. identification, and other data, but the secure drcuit 
does not have to be the perimeter of an IC. It could be a 
Personal Conputer (PC), for instance, in a network 
computer executing a program from a shared storage 
device accessed over a network. The network computer 
could be accessing a server for running applications 
real-time. Portions of tiie applications are communi- 
cated piece-meal to the network computers. The net- 
work can allow multiple computers to access the same 
application at the same time. With a PC, the owner 
might have access to the decrypted and/or authenti- 
cated and/or re-ordered program information received. 
Moreover, a secure circuit may process unencrypted but 
authenticated data. 

Storage Device: 

[0009] A storage device is a discrete memory compo- 
nent, such as an IC, of various types. However, as in the 



PC example described above, the storage device could 
be a mass storage device such as a hard disk drive 
located locally or remotely. If remotely located, data 
could be communicated between that storage device 

5 and the secure circuit over an Ethernet-like network, or 
for example, according to the IEEE 1394 standard. 
Local access to the mass storage device, for exarrple, 
may be over the PC's ISA, VESA, or PCI data bus or it 
could even be tiirough a SCSI, serial, or parallel inter- 

10 face. The mass storage device may be accessed by 
other network computers, or secure circuits. The stor- 
age device could also be a Jazz(TM) drive, tape. CO- 
ROM, DVD, Personal Computer Memory Card Interface 
Adapter (PCMCIA), smart card, or any other type of 

15 mass storage device. 

[0010] It is possible, for instance, in tiie case of the 
network computer, tiiat program information tiiat is 
read-only is accessed over tiie network. A local storage 
device. e.g., memory, tiiat allows read/write capability 

20 may be used tiiat is secure for external storage pur- 
poses. Therefore, tfie storage device may be any com- 
bination of device types. And, in tiie case of a networked 
storage device, ttie program information may be copied 
piece-meal to a faster local memory which may be syn- 

25 chronous dynamic memory. 

Program Information: 

[0011] Program information refers generically to any 

30 - information tiiat is used by the secure circuit in the exe- 
cution of a program. This may include instructions such 
as operational codes (op-codes) in nnachine code, or 
pseudo code or interpreted code, such as Java(TM). It 
may include look-up tables, stored keys, and various 

35 tenporary data such as intermediate calculations and 
the state of the secure circuit 
[001 2] It rnay even include some or all of the initializa- 
tion vectors and keys used to encrypt/decrypt or ver- 
ify/authenticate tiie rest of the program information in 

40 block chains. This can allow tiie same vector or key 
information to be encrypted under different keys so that 
different secure circuits individually or as select groups 
may gain access to the same program information, and 
have derived or been delivered different keys. 

45 [0013] The information could include key information 
and data having to do with the nature of how the bytes 
of a blocK blocks of a chain, and chains are stored in 
the storage device. This might include ttie order permu- 
tation information of the various fields of a chain or 

50 chain sequences describe in more detail later. 

Hash: 

[0014] Hash does not strictiy denote a one-way func- 
55 tion. Although a strict one-way function is a possibility, 
the function may be reversible under a seaet key or a 
trap-door one-way function, or be a very simple function 
such as an XOR operation. 
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Data Transmission and Crv ptooraphic Processing: 

[0015] Data transmission is used for text, messages, 
video, and audio signals of all types. These include but 
are not limited to text, messages, video, and audio from s 
broadcast and interactive television and radio, program 
guides, news services, and interactive message traffic 
over communication channels. The scrambled data 
transmission may be sent various ways, e.g. via a 
broadcast satellite, cable, telephone, or other link, or io 
from a removable mass storage medium such as a Dig- 
ital Video Disk, tape. Compact Disk (CD), f loppy-disK or 
other secure circuit, and received by a descrambling 
receiver, e.g., decoder such a set-top box, player or a 
personal computer in a consumer's home. i5 
[0016] The data transmission could simply be a 
response to a challenge. The challenge causes the 
secure circuit to transform the challenge information 
with some type of cryptographic processing to create an 
output that verifies that the secure circuit indeed holds 20 
certain secret or private keys. 
[0017] Internal registers in the secure circuit may be 
incremented or decremented. These values may be 
computed along with the secret or private keys to calcu- 
late the value to output. Such challenge and response 25 
techniques are typically used to authenticate the pres- 
ence of valid secure circuit before a service is granted. 

CrvptooraDhic Processing: 

30 

[0018] This is processing performed by a secure dr- 
cuit which typically results in the generation of a key. 
The key may then be used for many things: scrambling 
and descrambling a data transmission, identity verifica- 
tion by a client or host, etc. The key does not have to 35 
always be self contained within the secure circuit. For 
example, it may be sent out of the secure circuit for ver- 
ification reasons. 

[0019] Various problems with prior art schemes are 
now addressed. 40 

Problem: Various Proprietary Algorithms can be Stolen 

[0020] Software painstakingly developed at great 
expense may be trivially copied from external storage 45 
devices. The problem Is exacerbated by open networks 
such as the Internet which can allow rapid and far flung 
distribution of the pirated code. 
[0021 1 With the increasing speeds of general purpose 
processor chips, there is a trend to perform many so 
processing tasks that were once done in hardware in 
software. The software is communicated through the 
use of discrete memory components and/or storage 
devices including mass storage devices. This can allow 
for quick reconfiguration of the processing system for 55 
different applications by simply executing different soft- 
ware. But that trend is hampered by the fact that the 
software can be easily copied, disassembled, reyersed- 



engineered. and subsequently distributed thereby 
depriving ttie developer and/or inventor of the benefit of 
this intellectual property 

[0022] Also, with increasing speed and reliability of 
networks, e.g. Ethernet going from 10 megabits per 
second, to 100 megabits per second and so on, it is 
realistic to implement systems whereby software can be 
executed real-time over a network. So-called network 
computers wouki always be accessing the latest revi- 
sion of an application loaded on a network based 
server. Any application in the archives of this server 
could be accessed quickly. But such servers may be 
susceptible to someone downloading and storing the 
entire application, tiiereby depriving tiie service pro- 
vider of on-going revenue. Once downloaded, the soft- 
ware could be easily shared with others. 
[0023] It would therefore be desirable to make soft- 
ware analysis and reverse engineering, as well as soft- 
ware copying and re-use by general purpose 
processors more difficult 

Problem: Cryptographic Key Generator 

[0024] Cryptographic applications typically involve tiie 
generation/derivation of a key based on secret or pri- 
vate key information. 

[0025] A typical cryptographic key generator performs 
cryptographic processing on data transmissions. 
Scrambling data transmissions have become Increas- 
ingly important due to the need to deter unautiiorized 
persons (e.g., pirates) from gaining access to data 
transmissions. No matter how tiie data is transmitted or 
delivered, the ayptographic processing is present to 
ensure that provkJers of the data, e.g.. the scrambling 
senders, get paid for tiie intellectual property tiiey are 
transmitting. In tiie case of a communications network, 
messages may be scrambled to ensure tiie privacy of 
messages, and to autiienticate lx)th the sender and 
recipient. It can allow for non-repudiation, to prevent a 
recipient from later claiming that tfiey did not order the 
data. Non-repudiation is important to providers because 
ttiey have a higher expectation of getting paid. No one 
else has tiie cryptographic keys necessary to autiienti- 
cate messages like the bona fide buyer. The data trans- 
mission is cryptographically processed, e.g.. 
scrambled, prior to transmission under one or more 
secret scrambling keys. The cryptographically proc- 
essed data transmission is received by a ayptographic 
deprocessor (descrambling receiver) such as a set-top 
box, media player, or a personal computer in a con- 
sumer's home. 

[0026] Typically; the cryptographic processing such as 
what is done by a descrambling receiver is done in a 
secure circuit. The secure circuit is provided with tiie 
required keys at the time of manufacture or application 
installation and initialization, and performs a type of 
processing to grant access to the data transmission. If 
access is allowed, then the decryption key is derived. 
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Wh6n the decryption key is dsed in conjunction with 
associated hardware or software decryption module, 
the data transmission is descrambled, e.g., ntade view- 
able or otheoMse suitable for the user. 
[0027] The descrambiing hardware or software may s 
be included in a secure circuit such as an application- 
specific IC (ASIC). 

[0028] Likewise, the scrambling sender, e.g.. a PC in 
someone's home scrambling information such as credit 
card numbers for delivery to a merchant over the Inter- io 
net, uses the required keys loaded at the time of manu- 
facture or application installation and initialization, to 
derive a key to scramble the sensitive data for transmis- 
sion. 

[0029] In the PC example, the scrambling can be done is 
in a software module, but the scrambling may not actu- 
ally take place in what is considered tiie secure circuit 
The key derived in either case (for scran^ing and 
desaambling) may be output from the secure circuit to 
the hardware or software scrambling/descrambling 20 
module, or it may hold tfie key internally to the secure 
circuit - with the decryption module internal to the 
secure circuit. Preferably, the key is held and the scram- 
bling/descrambling is performed internally to tiie secure 
circuit. 25 
[0030] If the key is output from the secure circuit, it can 
be changed very quickly esfen several times a second, 
thereby making its knowledge only of short lived use. 
The hardware scrambling/descrambling hardware or 
software module may be located remotely from the 30 
secure circuit which derived tiie key to scram- 
ble/descramble tiie data transmission. 
[0031] For a PC executing instructions over a network, 
the secure circuit may be the PC itself, and the 
descrambiing unit could simply be a software module 35 
that recaves a length and pointer to, for exanple, a 
message in internal or external memory, along with the 
appropriate key, and cryptographic function identifier. 
[0032] The function performed by the cryptographic 
processing in the secure circuit could entail message 4o 
hashing, signing, and signature authentication using 
pubiidy known hashing algorithms and public key cryp- 
tography. 

[0033] In both the ASIC case and the PC case above, 
a microprocessor is typically used for implementing 4S 
access control, performing hashing, signature verifica- 
tion, signing and authentication functions. This process- 
ing verifies that the secure circuit is indeed authorized to 
decrypt the data transmission. If autiiorized, the micro- 
processor then derives the descrambiing key for the so 
data transmission. The secure circuit typically has an 
internal storage device, e.g., memory, for storing 
descrambiing program information for use by the micro- 
processor, storage for storing the descrambiing key 
data and state of the decoder, and a scratch-pad mem- ss 
ory for storing intermediate calculations and temporary 
data. The state of the descrambiing receiver, e.g., 
decoder, may indicate, for .example, whether the 



decoder is tuned to a particular channel and the chan- 
nel identifier. The state of the desaambling receiver 
may also store whether it is authorized to receive the 
channel, and whether a program tuned, for example, is 
subscription, pay-per-view, or video-on-demand. 
[0034] It wouki therefore be desirable to make pirate 
attacks against cryptographic key generators executing 
with external memory more difficult. 

Problem: Inf lexibilrtv of Using Internal ROM, and RAM 
Capacity Issues 

[0035] For an ASIC, the internal memory used by tiie 
IC to store program information may be created from 
read-only memory (ROM), an erasable programmable 
read-only memory (EPROM), an electrically erasable 
programmable read-only memory (EEPROM), Rash 
memory, or a battery-backed random access memory. 
Typically, the foundry processes for manufacturing 
ASICs with the smallest geometries and fastest circuits 
are developed and characterized for ROM-and RAM- 
based technology initially. EEPROM and Flash capabil- 
ity come at a later time. Therefore, a performance 
advantage over other technologies may be obtained by 
designing the ASIC to use ROM- and RAM-based tech- 
nology Also, it is easier for VLSI foundries to build 
devices with ROM and RAM than with EEPROM and 
Flash because of their simpler design. Therefore, the 
designer may realize a lower manufacturing cost with 
ROM- and RAM-based designs. 
[0036] Creating an internal memory entirely out of bat- 
tery-backed RAM is generally impractical because a 
RAM cell, with its ability to allow reading and writing of 
data, contains many more gates and is typically a much 
larger structure than a ROM cell, which only allows 
reading of data. Therefore, such a RAM memory stores 
far less programming information than a ROM memory 
of equal physical size. 

[0037] However, there are drawbacks to storing the 
programming information in internal ROM since the 
entire ASIC must be replaced to change the program 
information. This may be necessary or desirable, for 
example, to fix a software problem (e^g., bug), or to pro- 
vide new or customized features for different customers. 
To achieve this, a new chip must be manufactured with 
the change in program information. This can be very 
costiy and time-consuming. 

[0038] Also, no matter how much storage of any type 
Is built into the secure circuit, e.g., an ASIC, it may be 
too much or too littie for any given application. If tiie 
storage is larger than required, the price of the secure 
circuit is higher than necessary. If the storage is smaller 
tiian required, then the is either inadequate for tiie task, 
or features must be omitted to make the software fit. 
Rarely is tiie size of the storage just right. 
[0039] Accordingly, it would be desirable to provide an 
scheme for modifying the capacity of a storage device, 
e.g., the amount of memory, and for easily and inexpen- 
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lively updating the program information of a secure cir- 
cuit such as a cryptographic chip. The system should 
store the program information in a storage device which 
is external to the secure circuit and provide for efficient 
and secure transfer of the program information between 5 
the storage device and the secure circuit. The transfer 
of program information should be fast enough, even 
over a networK to meet code execution requirements. 
Moreover, the amount of internal storage, e.g. memory 
required to make the secure circuit operate should be 10 
limited. The system may use a limited amount of quickly 
accessible internal program information which could 
boot the secure circuit, monitor error conditions, inter- 
pret pseudo-code, or handle real-time processing 
events. However, this internal program information, if 15 
stored in an inflexible form, e.g. ROM or read-only CD- 
ROM, it cannot be changed as easily as externally 
stored program information. 

Problem: Securino External Storaoe - Authentication 20 
Overhead 

[0040] In the past various encryption techniques have 
been used on bytes and blocks. But pirates have 
enployed a variety of "attacks" to break the security of 25 
the system. One attack attempts to get the secure dr- 
cuit to read tiie encrypted memory and write it out to a 
clear area where the program information may be cap- 
tured and tiien analyzed. An attack of tills type actually 
employs the decryption circuitry itself to decrypt the pro- 30 
gram information precluding the need to do more exten- 
sive analysis. 

[0041 1 Another attack tries to break tfie security of the 
application itself, by changing the execution of the appli- 
cation in order to make the secure circuit in this case, in 35 
the descrambling receiver, descramble premium serv- 
ices witiiout paying the appropriate subscription fees. To 
accomplish these and other attacks, the pirates attempt 
to modify the contents of ttie external storage device, 
e.g., memory. And to accomplish tiiis. one technique 40 
used is "trialing." where program information in the 
external storage device is manipulated in a trial and 
error approach. The pirate does not know which secret 
key or keys were used to encrypt the program informa- 
tion , but attempts to manipulate the program informa- 45 
tion in tiie external storage device until a useful 
outcome is obtained. - 

[0042] To prevent these and other attacks from being 
successful, either authentication, stronger encryption, 
re-ordering of chain fields, or any combination of the so 
above, may be used. 

[0043] Authentication may be used to verify tiie origin 
of tiie program information. In a system using authenti- 
cation, the secure circuit will not process program infor- 
mation which is not accompanied by the correct 55 
authentication information. Strong prior art authentica- 
tion is expensive. However, the amount of authentica- 
tion information must be sufficientiy large to provide an 



adei^uate level of security. In conventional memory 
encryption schemes using byte encryption or block 
encryption, autiientication information would be needed 
with each byte or block which ttie chip fetches from the 
external storage device. For a single byte of program 
information, several bytes of authentication information 
wouki be needed to prevent trialing. In other words, the 
byte would need to be widened to include the additional 
autiientication information. If an eight bit byte of pro- 
gram information were widened to include only 8 addi- 
tional bits of authentication information, tiie 
autiientication information could easily be determined 
by ti-ialing since, with eight bits per byte, tiiere are only 
2^=256 possible trialing combinations. To provide a 
security level comparable to the Data Encryption Stand- 
ard (DES), 56 bits (seven bytes) might be used to pro- 
vide 2^ = 7.2 x 10^^ possible combinations of 
authentication information. The authentication informa- 
tion would thus represent (7/(1 + 7)) or 87% of the over- 
all storage. This amount of overhead data is very 
inefficient 

[0044] With block encryption, several bytes of data are 
grouped and autiienticated in a block. For example, a 
block size of 8 data bytes may be i^ed. Then, with eight 
bytes of authentication information, the overhead is still 
very high at (7/(7+8)) or 47% of tiie overall storage. This 
excessive overhead data can severely affect the cost of 
tiie overall system by requiring a significantiy larger 
storage device just to handle the authentication infor- 
mation. This is unacceptable witti consumer electronic 
devices such as hand heW games, cellular phones, and 
television decoders which must be manufactured at tiie 
lowest possible cost In particular, tiie cost of the stor- 
age devices are usually a significant limiting factor. 
Thus, the amount of authentication information over- 
head is unacceptably large with existing data authenti- 
cation schemes. 

[0045] Accordingly, it would be desirable to have a 
system which minimizes the amount of authentication 
information (e.g., check bits) which is required to 
securely communicate program information. 

Problem: Encryption of Program Information Inade- 
quate 

[0046] Trialing attacks of a single encrypted byte of 
program information is trivial to perform. Assuming an 8 
bit byte again, this requires tiie dialing of only 2^=256 
possibilities for the program information to obtain an 
exact result. For some pirate attacks, however, the abil- 
ity to simply change program information to something 
different is a goal. In this exanple tfien, simply the abil- 
ity to trial a single byte value without influencing other 
bytes would result in a successful pirate attack. 
[0047] Trialing attacks of a single encrypted block of 
program information is a bit more difficult but still man- 
ageable. Large general purpose Reduced Instruction 
Set Computing (RISC) processor, for example, have 
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instructions that are 64 bits long. Assuming and 8 byte 
block and 8 bits per byte, it is relatively easy for a pirate 
to alter a block of program information and effect only 
one instruction. 

[0048] Even with instruction widths half that size, e.g., s 
32 bits, only two instructions are affected. So called 
Complex Instruction Set Computing (CISC) processors 
are equally at risk for attack. And CISC processors 
described as '*B bit processors" are not really 8 bits 
because they typically require the fetching of one, two, io 
or three operands of program informatics which makes 
any instruction have between 8 and 32 bits, witti an 
average of about 20 bits, but tiiis depends on tiie choice 
of instruction used by the program. Therefore, trialing an 
8 byte block of encryption values for so call ''8 bit" is 
instructions might only effect three instructions. 
[0049] Accordingly, it would be desirable to have a 
more robust encryption algoritfim to securely communi- 
cate program information. 

20 

Problem: Execution. Even Encrvoted. is Observable 

[0050] Even though blocks of program information 
may be encrypted or autfienticated, someone observing 
the traffic of data on a communications means, e.g. bus 25 
or network, can learn about the function and design of 
the program information. The more information that a 
-pirate might learn about the program information, the 
more ways that he might have to alter program execu- ' 
tion. An internal storage circuit such as a cache may 30 
obfuscate some of the function and design by referenc- 
ing data* that was either only deaypted, decrypted and 
autiienticated, or simply authenticated from tiie internal 
storage circuit rather tiian have to fetch the program 
information again externally. 55 
[0051] A problem arises, however, because the origi- 
nal communication sequence, that which loaded the 
program information into tiie cache in the first place, 
may be observed. A system witiiout a cache is even 
easier to analyze because recursive code, e.g., loops, 40 
can be seen on tiie external interface. It would easy to 
see the same encrypted, encrypted and autiienticated. 
or sinrply authenticated program information being com- 
municated over and over again. A cache will blind tiiis 
operation by making the communication internal to the 45 
cache and not visible on" the communication means. 
However, a clever pirate might notice tiiat no externa! 
communication was occurring and conclude that there- 
fore some sort of internal operation was occurring. In 
principle, it is not desirable to have a pirate learn any- so 
thing about the algorithm being executed. This includes 
the overall structure such as byte to block, block to chain 
or chain to program information sequence association, 
sequence of processing such as always executing par- 
ticular program information on boot-up, and the organi- 55 
zation of the program information such as data table 
organization. 

[0052] It would therefore be desirable to have tech- 



niques for obfuscating tfie execution of encrypted, 
authenticated, or any chain of program information. It 
would be desirable to communicate the program infor- 
mation in a manner which is out-of-sequence from the 
true execution sequence by the secure circuit The 
sequence may be obfuscated within a blocK chain, or 
program information sequence. 
[0053] That is, it would be desirable to obfuscate tiie 
sequendng of the bytes tfiat make up a block, ttie 
blocks that make up a chain, and the chains that make 
up a program information sequence. The sequence per- 
mutation may be fixed and yet be different on a byte by 
byte, block by block, chain by chain, or program informa- 
tion sequence basis. It would be desirable to spread tiie 
sequence obfuscation to be of greater deptii, ttiat is, 
greater tfian a blocK for instance, over two blocks or for 
tiiat matter an entire chain. The same would be desira- 
ble for all of tiie other fields. 

Problem: Sequence Permutation Alooritiim mav be Dis- 
covered 

[0054] Any sequence permutation algoritiim imple- 
mented in hardware may be discoverable by a pirate 
probing the VLSI or other analysis. The permutation 
function may be keyed and be both address and unit 
dependerrt. However, this does not preclude a deter- 
mined pirate from discovering what the key and depend- 
encies are. 

[0055] It would be tiierefore also desirable to have a 
way of making analysis and reverse engineering of tiie 
sequence permutation more difficult 

Problem: Underlvino Sequence Does not Change - 
Address Location Always the Same 

[0056] Even with tiie sequence permutation, a pirate 
may observe every communication between tiie storage 
device and know which bytes belong to which blocks, 
and which blocks belong to which chains. That is. a par- 
ticular address location in the storage device is assod- 
ated witii a particular byte. blocK or chain sequence. 
The address location will always contain the same infor- 
mation. The pirate may not know what the exact posi- 
tional information is because of the sequence 
obfuscation. but he knows that its association with the 
otiier bytes, blocks or chains is fixed. The pirate does 
not need to know what the value of tiie program infor- 
mation stored at a particular location is. The pirate can 
ti-ial a value at tiiat storage location. The pirate can do 
tiiis systematically going through all values even though 
tiie storage location is accessed at varying times due to 
tiie sequence permutation techniques. 
[0057] It would therefore be desirable therefore, to 
have a scheme for dynamically changing the address 
location in the storage device where data representing a 
particular byte, block, or chain sequence is located in 
the storage device to prevent someone from systemati- 
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Cally trialing code. 

Problem: Every Communication is Pertinent 

[0058] A pirate may observe every communication of 
program information between the storage device and 
know that it is encrypted, authenticated, sequence per- 
muted or all of the above. 

[0059] For additional obfi^cation, it would be desira- 
ble to communicate "dummy" or not necessarily needed 
data with the program information communicated. 

Problem: Bi-directional Write and Read Required 

[0060] The storage device can be read-only, but there 
are many reason why the storage device should also be 
write-able. Different cryptographic and non-crypto- 
graphic yet proprietary applications have varying 
requirements for data storage. 
[0061] Modern cryptographic applications often 
enrploy public key cryptography, which generally require 
larger keys than secret key cryptography The scram- 
bling sender or descrambling receiver may perform 
some type of cryptographic application which may inter- 
face on an open network such as the Internet, which 
may require the storing of a number of various public 
keys. e.g., from a Root Authority, or Certificate Authority. 
Also, with pay television decoders, there are public keys 
for the access control system and/or the decoder man- 
ufacturer. Over time, many more public keys may need 
to be stored as a result of interacting on the network. 
Some of these keys are meant to be long lived, and, for 
example, if the public keys may be 2048, 4096 bits, or 
larger. Consequently, a large capacity storage device, 
e.g., large amount of read/write storage may be 
required for storage of keys and other related informa- 
tion to effect a viable cryptographic application. 
[0062] The same can be said for many proprietary 
applications. The trend is to process more and more 
data. It is desirable to have great flexibility with the type 
and amount of storag^e for writing and later retrieval of 
program information as there is for just reading program 
information. 

[0063] Accordingly, it would be desirable to have a 
secure bi-directional communication between an exter- 
nal storage device and a secure circuit, where this has 
the flexibility to accommodate growing requirements for 
additional program information storage without requir- 
ing a design change of the secure drcuit. Also the secu- 
rity of the overall implementation cannot be diminished. 

Problem: Communication with Non-Secure Outside 
World and Alternative Security Modes 

[0064] The secure circuit may have to interface with 
display devices, peripherals or computers which do not 
have a decryption means. This is important where inter- 
activity with a human is involved. For example, if a cus- 



tomer input a Personal Identification Number (PIN) code 
wrong, it may be necessary for the secure circuit to 
inform the customer of the problem so that the PIN may 
be reentered. This may require communication with the 
5 host device of a error condition or of an enror message 
which may be displayed appropriately on a screen. 
There may be a shortage of pins, communication ports, 
or buses which may be dedicated to external communi- 
cation. 

10 [0065] The execution of some program information 
may have reduced execution latency requirements 
requiring an alternate communication mode other than 
by chains. Also, the secure circuit may need to inter- 
operate with other devices with have different security 

15 schemes. 

[0066] It would also be desirable to provide a condi- 
tional clear mode whereby no encryption/decryption, 
authentication generation/verification, or sequence per- 
mutation of tiie program information is performed. This 

20 conditional dear mode would not only allow a possible 
chip debug facility, but also allow the secure circuit to 
interface, send and receive clear data, with the world at 
large, such as display devices, other computers, and the 
like, thereby allowing the communications means to be 

25 used for more tiian the conveyance of program informa- 
tion. This would reduce the number of separate pins, 
communication ports, and buses used for external com- 
munication. 

[0067] It would also be desirable to switch off the chain 
30 encryption/decryption, autiientication generation/verifi- 
cation, or sequence permutation of the program infor- 
mation, in favor of a different type of encrypt/decryption, 
autherrticationA^erification, or sequence permutation 
that is not based on chains. For example, instead of a 
35 chain, byte or block processing may be used. 

Problem: Detection of Chain Lengths 

[0068] A pirate may be able to analyze the execution 
40 of the program information to determine what program 
information belongs with a particular chain. That knowl- 
edge could allow a pirate to trial program information in 
a more selective fashion. In principle, it Is a good idea to 
prevent a potential pirate from learning anything about 
45 how the program information is executing. 

[0069] It would therefore be desirable to communicate 
blocks of program information witfi variable chain 
lengths in random sequence from one chain to the next 
with no particular consideration being given to tiie pro- 
50 gram information being executed. 

Problem: Different Latency Requirements 

[0070] Real-time interrupt subroutines have different 
55 execution latency requirements than background or 
maintenance routines. There is a natural tendency for a 
designer to make shorter chains for all of the program 
information to simply handle the faster execution 
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requirements of real-time interrupt subroutines. But 
reducing chain lengths for all of the program information 
may unnecessarily increase the storage capacity of the 
storage device to accommodate the increased amount 
of authentication information. 
[0071 ] It would therefore be desirable to communicate 
blocks of program information and associated authenti- 
cation information in block chains, where different 
chains lengtiis may be used for communicating different 
types of program information with different latency 
requirements. Routines placed in lower address loca- 
tions could have lower latency, while those in a higher 
address location of a storage device could have higher 
latency requirements. 

Problem: General Ck)mmunication/St orage Latency 
Requirements 

[0072] While certain routines may have special execu- 
tion latency considerations, the latency nnay still be too 
much for certain applications. Consequentiy, means 
must be explored to allow for more eff ident communica- 
tion and storage of program information. 
[0073] It would be desirable to design certain features 
into tiie architecture of tiie communication means, and 
secure circuit in order to help reduce program informa- 
tion latency to help speed up execution. 

Problem: AuthenticationA/errfication Latency Require- 
ments 

[0074] While certain routines may have special execu- 
tion latency considerations, the latency due to authenti- 
cation/verification may still be too much for certain 
applications. Consequently, means must be explored to 
allow for more efficient authentication/verification. 
[0075] It would tiierefbre be desirable to design cer- 
tain features into the authentication/verification function 
to help reduce program information execution latency. 

Problem: Encryption/Decryption Latency Requirements 

[0076] While certain routines may have special execu- 
tion latency considerations, the latency due to encryp- 
tion/decryption may still be too much for certain 
applications. Consequently, means must be explored to 
allow for more efficient encryption/decryption. 
[0077] it would be therefore be desirable to design: 
certain features into the encryption/decryption function 
to help reduce program information execution latency 
[0078] The present invention provides a system hav- 
ing the above and other advantages. 

SUMMARY OF THE INVENTION 

[0079] In accordance with tiie present invention, an 
apparatus Is presented for securely communicating 
encrypted blocks of program information between a 



storage device and a secure processing circuit in cipher 
block chains. 

[0080] An apparatus is presented for securely commu- 
nicating authenticated blocks of program information 
5 between a storage device and a secure processing cir- 
cuit in block chains. 

[0081 ] An apparatus is presented for securely commu- 
nicating re-ordered fields of program information 
between a storage device and a secure processing cir- 

10 cuit in chains. 

[0082] The present invention further provides an 
apparatus for cryptographicaliy generating a key 
whereby the key may be used to gain access to a data 
transmission or ttie like. 

15 [0083] In one aspect of the present invention, an 
apparatus for securely communicating blocks of pro- 
gram information between a storage device and a 
secure circuit includes means for providing at least one 
block of program information including a particular block 

20 comprising a plurality of bytes having a first byte 
sequence. 

[0084] One block buffer sized to store one block of 
data is all that is required for a minimal implementation 
since the data can be processed serially, one block at a 
25 time. 

[0085] IVIeans. such as an address generator, are pro- 
vide for storing the block(s) of program information in 
tiie storage device. 

[0086] Cipher block chaining is a robust encryption 
30 algorithm because a change in one block will cascade 
changes to otiier blocks making it difficult for a pirate to 
effect a simple change to the program information. 
[0087] Cipher block chaining may be used to botii 
hash and encrypt for privacy The last dear text block 
35 may be exclusive ORed pcORed) on the encrypted 
authentication block to provide a dependence of the 
entire dpher block chain on the decryption of tiie 
authentication block. 

[0088] For example, tiie program information and 

40 authentication information may be carried in two or 
more eight-byte blocks. Block chaining is efficient due to 
tiie relatively low overhead of the autiientication infor- 
mation relative to tiie authenticated data. The autiienti- 
cation information is XORed witii tiie last clear data 

45 (e.g,. program information) block and optionally 
decrypted and to yield a verification value. The value is 
compared to a value which is known by the hardware to 
verify that the authentication data is con-ect. The value 
may be different for different chains or it may be fixed for 

50 all chains. To provide additional separation between 
keys, the key used to decrypt tiie authentication infor- 
mation may be different tiiat that used to decrypt the 
authenticated information. Also, with each decryption 
operation the key may be modified with the address to 

55 provide address dependency of each block witiiin a 
chain. 

[0089] For more robust security, dpher block chaining 
may be used along with another hashing algorithm. 



15 



EP 0 908 810 A2 



16 



There is no additional latency penalty for doing this 
since each block must be processed in a serial fashion. 
When the first block is decrypted it not only is XORed 
with the dpher text of the second block, but it is also 
submitted to the authentication circuit The last block is 5 
the authentication bits, and it does not require submis- 
sion to the authentication circuit, it is sinply decrypted 
and compared to a value held in the hardware. 
[0090] A first communication path such as a bus is 
provided to communicate blocks of the program irrfor- 10 
mation and authentication information between the 
external storage device and the one or more block buff- 
ers in a chain. One block buffer sized to store one block 
of data is all that is required for a minimal inrplementa- 
tion since the data can be processed serially, one block is 
at a time. The authentication information is read in and 
verified by the authentication circuit. 
[0091] The program information is decrypted, if nec- 
essary, in a deciphering circuit which is associated with 
the authentication circuit Cryptographic key data from 20 
an associated storage device may be used for this pur- 
pose. 

[0092] If a pirate changes any data in preceding 
blocks in the chain for trialing. tiie conrputed hash data 
that is compared with the autiientication information will 25 
be incorrect, and tiie resulting verification value will not 
match. The secure circuit, such as an ASIC or PC. will 
then know that tampering has occurred and counter- 
measures may be taken. 

[0093] There are a number of ways the autiientication 30 
operation can be inrplemented. The hashing may be 
keyed, e.g. using a secret key with the autiientication 
information in-the-clear, or tiie hashing may not be 
keyed and the authentication information is encrypted, 
or for more robust security, the hashing is keyed and the 35 
authentication information is encrypted. Different keys 
may be used to hash and to decrypt. The hashing key 
may be a secret key. while the autiientication informa- 
tion may be encrypted under a public key The same key 
used to encrypt the authentication information may be 40 
used to encrypt the program information being authenti- 
cated. That has the benefit of the authentication infor- 
mation being treated in a similar fashion as the program 
information. However, using a separate key would add 
another level of security. 45 
[0094] In an alternative embodiment block encryption 
Is used for privacy. When decrypted, tiie blocks are 
authenticated. The authentication technique used can 
be a hash which might require a strict order of hashing, 
e.g. block #1 hashed, then block #2 hashed witii the out- so 
put of tiie hash of block #1 , and so on. Known algo- 
rithms such as MD5 and SHA may be used for this type 
of strict hashing. 

[0095] Although such hashing may be used, the hash- 
ing can introduce a latency due to the serial nature of ss 
the operation. A simplified hashing function can be pro- 
vided that performs an XOR of all of the clear blocks. 
That hash value can be verified with the autiientication 



information. In fact, the autiientication information can 
be XORed as a block along with the program informa- 
tion. This technique improves program information exe- 
cution latency, which is important for real time operating 
systems. Here, each block of data can not only be 
decrypted independently as in Electronic Code Book as 
called out by FIPS. but also XORed independently while 
computing the hash for the entire chain. This technique, 
which is termed "simple block chaining", emphasizes 
reduction in execution latency. 
[0096] Detection of illegal op-codes or illegal inter- 
preted code commands may be used as a form of 
authentication. Upon receipt of an illegal op-code or 
command, tiie system can decide how to respond, e.g., 
reset increment a counter, or some other action. 
[0097] The creation of an illegal op-code by a pirate 
depends on the instruction set of a given processor. 
Some instruction sets are fully developed and have few. 
while other Instruction sets are reduced and have wore 
undefined or illegal op-codes. If an instruction set for 
example, had 20% undefined or illegal op-codes, then 
that means that a pirate has an 80% chance of ran- 
domly creating a legal op-code. This is not to say ttiat 
tiie pirate generated a particular op-code ratiier a legal 
one. But a random legal op-code otiier than tiie 
intended one could make for a successful pirate attack. 
For example, tiiis might be tiie case if simple nullifica- 
tion of the original op-code was the goal. With the odds 
of 80% in favor of a pirate, this method of simply detect- 
ing illegal op-codes leaves much to be desired. 
[0098] Illegal op-code detection as a form of authenti- 
cation is more effective with cipher block chaining, 
because the odds of a pirate creating an illegal op-code 
are inaeased as each subsequent block in a particular 
chain will be affected. For example, if tfiere are sixteen 
blocks of instructions in a chain then tiie odds of a pirate 
being successful if tiie pirate alters the very first block of 
tiie chain is as follows: (.8)''^= 0.028. The situation has 
changed, the pirate now has approximately 97 % 
chance of failing. Cipher block chaining is a more robust 
encryption method for this reason - tiiis implicit authen- 
tication through the detection of illegal op-codes. But 
cipher block chaining is also better because it makes it 
more difficult for a pirate trialing tiie encryption of pro- 
gram information to isolate any changes made to a sin- 
gle block thereby increasing the odds of creating 
unintended op-codes with unwanted side effects. 
[0099] A problem is thiat ttie external storage device 
stores more tiian just op-codes. Only op-codes can be 
verified by tiie instruction decode circuitry of the CPU. 
More robust security requires explicit authentication. 
[0100] Authentication can be performed by either 
XORing the authentication information with hash of tiie 
clear text data blocks to produce a verification value tiiat 
is subsequentiy compared to a pre-stored value, or the 
authentication information can be simply compared to 
the hashed program information. 
[0101] The autiientication function may optionally 
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hash blocks of program information that were communi- 
cated in the clear to XOR with the decrypted authentica- 
tion information. In order to prevent pirates from 
creating their own authenticated program information 
using a Known hashing algorithm, a cryptographic key 
must be used. This can be done two ways - keying the 
hashing or keying the authentication, or both. 
[01 02] Simple block chaining, an alternative technique 
which addresses latency problems, uses a singular 
block encryption of each block of program information. 
Thus, each block is encrypted and decrypted independ- 
ently so processing may occur in parallel. Moreover, the 
entire chain, or group, of blocks is autiienticated. One 
method of hashing is to XOR the program information 
blocks together and witii tiie authentication information. 
This can be done all at once. 
[01 03] More complicated hashing may be used as well 
for more robust security, but these methods may intro- 
duce a serial dependence, whereby one block may 
need to be hashed ahead of another block. Simple block 
chaining, ising tiie encryption and authentication proc- 
ess described above, reduces the authentication bit 
overhead, as witii cipher block chaining, but can avoid 
the latency problems of cipher block chaining when par- 
allel deciphering circuitry is used. If only a single block 
buffer is used, then tiie latency is about tiie same for 
cipher block chaining and simple block chaining, the 
- only difference being that tiie output of one block 
decryption is XORed with tiie output of tiie next decryp- 
tion (witii simple block chaining) ratiier tiian tiie input to 
the next decryption (with cipher block chaining). 
[0104] The simple block chaining method, decrypting 
and authenticating using the XOR of dear blocks, suf- 
fers from the problem that any of the blocks may be re- 
ordered out of sequence and the authentication will still 
check out. So while decryption and authentication oper- 
ations may be done in parallel, a potential problem has 
been introduced. Encryption, with address dependency, 
should be used with simple block chaining using the 
simple XOR hashing function. 
[0105] That is, tiie ke^used with each block in the 
chain would be different with tiie key being a function of 
the address of the specific block. If DES encryption 
were used, changing any of the program information of 
a block for trialing would cause approximately half of the 
bits in tiie deaypted output to change, causing the 
authentication verification to not check out. Without 
knowledge of tiie key. it would be difficult for a would be 
pirate to find tiie proper autiientication information to 
compensate. 

[0106] In an attempt to reduce program information 
execution latency, the authentication may be performed 
on the cipher text data using eitiier a keyed hash or 
encryption of the authentication information. Decryption 
and authentication may operate simultaneously, and not 
authentication after encryption. For simple block chain- 
ing, this has a problem that address-dependent decryp- 
tion will not have been performed on the program 



infomriation, possibly making it vulnerable to being sub- 
mitted to tiie decryptor out-of-sequence. 
[01 07] Random sequence permutation of fields witiiin 
a chain during the communication between the external 
5 storage device and the secure circuit may be used. 
Means, such as a data bus or network, are provided for 
communicating tiie program information with the secure 
circuit. 

[0108] Means assodated with the secure drcuit are 

10 provided to re-order tiie re-ordered fields of the chain to 
recover the fields in the first field sequence. A chain of 
program information may be re-ordered into two or more 
fields, re-ordering may be provided. 
[0109] That is. the blocks may be convTiunicated 

15 between the external storage device and tiie block buff- 
ers in a random, non-sequential sequence that does not 
reflect the true execution sequence of the blocks by tiie 
secure drcuit. Moreover, re-ordering may occur for 
bytes within one or more blocks, or for entire chains. 

20 Any field may be re-ordered. 

[0110] Such non-sequential transmission is effective 
in detemng a pirate from ascertaining the program infor- 
mation structure, sequence, and organization executing 
in tiie secure circuit. By re-ordering any field with a 

25 chain or chains, or the relative position of entire chains 
in a program information sequence or multiple program 
information sequences, a pirate is deterred from detect- 
ing information regarding the execution sequence of the 
program information in the processing drcuit. Witii re- 

30 ordering, a pirate may tiien be deterred from easily 
learning tiie correct clear text or cipher text of the pro- 
gram information making certain cryptographic attacks 
more difficult to acconplish. Preferably, the program 
information is encrypted for increased difficulty of anal- 

35 ysis. 

[0111] An alternative embodiment of this apparatus 
communicates the blocks of program information from 
tiie storage device to the secure circuit while substan- 
tially randomly re-ordering the fields of a program infor- 

40 mation sequence. A new sequence is used to 
communicate tiie fields from the secure circuit back out 
to the storage device thereby changing the field associ- 
ated with a particular storage location in tiie storage 
device. Means are provided internally to tiie secure cir- 

45. cuit to store the new True" sequence of the program 
information in the storage device. 
[0112] The new urxJerlying sequence order for the 
fields of a program information sequence are then 
stored in the secure device so that futures communica- 

50 tions to tiie same blocks will allow the correct re-order- 
ing based on the new sequence in tiie secure drcuit. 
Means, such as a data bus or network, are provided for 
communicating tiie program information with the secure 
processing circuit. 

55 [01 1 3] While the bytes may be re-ordered when com- 
municated between tiie storage device and secure cir- 
cuit using the sequence re-ordering techniques above, 
each byte of program information is still associated with 
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d particular storage location. For example, the first byte 
of the first block of the first chain of a program informa- 
tion sequence is always located a particular storage 
location even though the pirate may have problems 
ascertain that in fact it was the first byte of the first block 
because of the re-ordering. The pirate may then none- 
theless trial the value at that particular storage location 
(e.g., address) in a systematic and organized way 
[0114] Changing the underlying storage location of 
data in the storage device, prevents a pirate from trialing 
the program inforn^tion stored in a particular location in 
the storage device. By dynamically changing the pro- 
gram information location in a storage device after each 
use, a pirate trialing program information at a particular 
location in the storage device wilt not be dealing with 
precisely the same program information each time. The 
attack tiierefore becomes intractable. 
[01 15] In a further aspect of tfie present invention, the 
data sub-fields, bytes, blocks, chains and program infor- 
mation sequences may be fixed and not random. The 
sequence may be different for each byte, block, chain or 
program information sequence accessed. This is a per- 
mutation that is performed differentiy on appropriate 
fields on tiie incoming program information. Advanta- 
geously, this permutation function can be easily imple- 
mented in hardware since it is not randomized. 
[0116] In a particular implementation, the secure cir- 
cuit uses program information for generating a crypto- 
graphickey. 

[0117] The program information is encrypted using 
cipher block chaining, and optionally authenticated 
and/or re-ordered. In another embodiment, tiie program 
information is authenticated and optionally enaypted 
and/or re-ordered using block chaining. In anotiier 
embodiment, tine program information is authenticated 
and optionally encrypted and/or re-ordered using block 
chaining. 

[01 1 8] The key may be used in software to decrypt or 
desaamble a data transmission. By authenticating tiie 
instructions, a pirate is deterred from providing phony 
program information tathe secure circuit descrambling 
the data transmission. 

[0119] In anottier aspect of tiie present invention, a 
secure circuit uses program information for generating a 
cryptographic key The key rhay be used to descramble 
a data transmission in hardware. Depending on the par- 
titioning of tiie secure circuit, tiie descrambling may be 
done internally or externally. 

[0120] The key may be generated and handed to a 
software module to descramble the data transmission. 
The software module may be internal to tiie secure cir- 
cuit or external to the secure circuit. 
[0121] In both instances above, the secure circuit, 
may consist of an integrated circuit (IC), having an 
autiientication circuit, a central processing unit (CPU), 
and one or more block buffers which are adapted to 
store one or more blocks of program information. 
[0122] The external storage device may be a flash 



9 

menrrory, an erasable programmable read-only memory 
(EPROM). an electrically erasable programmable read- 
only memory (EEPROM), a battery-backed random 
access memory (RAM), RAM, or a combination of the 

5 above. It may also be a hard disk drive, or CD-ROM or 
any type of mass storage device. The external storage 
device also stores autiientication information (e.g.. 
check bits) for autiienticating the program information 
when it is received in tiie secure circuit. In some imple- 

10 mentations, it is desirable for the contents of the storage 
device to be copied to a faster storage device such as 
synchronous dynamic memory so that tiie secure circuit 
can fetch program information from the faster storage 
device, e.g.. dynamic memory, ratiier than the slower 

15 storage device with its associated latencies. For exam- 
ple, a network computer may copy program information 
from tiie server over tiie network. The faster storage 
device may be local, while the slower storage may be 
remote, in the network computer case, accessed over 

20 the network. 

[0123] To reduce overall latency of execution of real- 
time executing code, the first communication patii may 
have a sufficient bandwidtii so tiiat two or more of tiie 
strings, one or more blocks, or one or more chains to be 

25 communicated to tiie block buffers substantially at tiie 
same time. 

[0124] The program information bus is typically not 
wider tiian tiie instruction width because there is a bot- 
tieneck problem. The CPU is only executing at a partic- 

30 ular rate. The program information would have to be 
stored somewhere. However, when tiiere is latency 
associate with otiier processing - encryption or authen- 
tication - tiiis can help to reduce overall latency. 
[01 25] For example, tiie secure circuit may read more 

35 tiian one block of program information essentially con- 
currentiy, where more tiian one block buffer is used to 
store tiie additional blocks, e.g., one buffer per block. In 
tiie secure circuit, tiie authentication circuit receives tiie 
program information and authentication information 

40 from tiie one or more block buffers for use in authenti- 
cating tiie program information. In a second communi- 
cation patii in the IC, the authenticated program 
information from tiie autiientication circuit is provkied to 
tiie CPU to be executed to thereby decrypt tiie scram- 

45 Wed data transmission. The program information may 
include a plurality of strings of instructions, such as lines 
of computer code, or related data sequences, which are 
to be processed in succession by the CPU. 
[01 26] A cache may be arranged in the second com- 

50 munication path to tenporarily store the authenticated 
program information before they are provided to tiie 
CPU. The cache may store at least one of the sti'ings of 
program information so that at least two of the strings of 
program information may be provided to the CPU sub- 

55 stantially concurrentiy (e.g., the stored string and the 
last authenticated and deciphered string). In this man- 
ner, the program information is efficientiy communi- 
cated to the CPU. The advantage of a cache is tiiat the 
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CPU may fetch already authenticated program informa- 
tion from the cache rather than using the external stor- 
age device communication means. e.g., bus or network, 
which involves various latencies. 
[0127] When a first chain and a subsequent second 
chain are communicated from the extemal storage 
device to the one or more block buffers, the authentica- 
tion circuit authenticates the first and second cipher 
block chains to provide corresponding authenticated 
program information. Additionally, the CPU may process 
at least a portion of ttie authenticated program informa- 
tion from the first chain while the authentication circuit is 
autiienticating at least a portion of the program informa- 
tion of tiie second chain. Deciphering of the program 
information when required may similarly be performed 
in an overlapping manner. 

[0128] An alternative embodiment of this apparatus 
communicates the fields of program information 
between the storage device and tiie secure circuit while 
communicating fields tiiat are not used by tiie immedi- 
ate, e.g. cunent or next, program information 
sequences processed by tiie secure circuit. This obfus- 
cation technique uses dummy fields of data ttiat may be 
simply chaff, e.g., never used by the secure circuit dur- 
ing any program information execution, or tiiey may be 
part of otiier program information sequences that are 
simply not currentiy being processed between the 
~ secure circuit and the storage device. Means associ- 
ated with the secure circuit are provided to eliminate the 
dummy bytes of the particular blocks to recover tiie 
bytes in the first byte sequence, and subsequent byte 
sequences of the remaining blocks. The dummy bytes 
may optionally be used during decryption and/or 
authentication prior to elimination after being received 
by the secure circuit Additionally, blocks, and chains 
that may be eliminated in the same way are provided. 
[01 29] Cipher block chaining or simple block chaining 
as described herein may be used to both hash and 
encrypt for privacy. For example, the program informa- 
tion and autiientication information may be carried in 
two or more eight-byte blocks. Block chaining is efficient 
due to the relatively low overhead of the authentication 
information relative to the authenticated data. The 
authentication information is XORed witii tiie last clear 
data (e.g., program information) blocks and optionally 
decrypted and to yield a verification value. The value is 
compared to a value which is known by the hardware to 
verify that the authentication data is correct The value 
may be different for different chains or it may be fixed for 
all chains. 

[01 30] Using cipher block chaining to both encrypt and 
hash, is a way to reduce the amount of hardware asso- 
ciated with the security function. Only one buffer is 
needed as all blocks by necessity are processed in a 
serial fashion. The XOR function is more robust than 
that done in simple block chaining because it is difficult 
to make a change in one block and be able to compen- 
sate for it by changing an other block. Since the XOR Is 



done prior to a decryption step, it is more difficult to 
manipulate a block to cancel any change made. How- 
ever, serial processing is required. 

5 BRIEF DESCRIPTICN OF THE DRAWINGS 
[0131] 

FIG. 1 is a schematic diagraim of a cryptographic 
10 key generator/descramWing receiver apparatus in 

accordance with the present invention. 

FIG. 2 is a schematic representation of a cipher 

block chaining encryption scheme in accordance 

witii tiie present invention. 
15 FIG. 3 is a schematic representation of a cipher 

block chaining decryption scheme in accordance 

wrtii tfie present invention. 

FIG. 4 is a schematic representation of a simple 

block chaining encryption scheme in accordance 
20 with the present invention. 

FIG. 5 is a schematic representation of a simple 

block chaining decryption scheme in accordance 

with tiie present invention. 

FIG. 6 is a schematic diagram of an alternative 
25 cryptographic key generator/descrambling receiver 

apparatus in accordance with the present invention. 

DETAILED DESCRIPTION OF THE INVENTION 

30 [01 32] An apparatus is presented for a secure proces- 
sor. The preferred embodiment ennphasizes security. 
[0133] Encrypted, autiienticated, and sequence-per- 
muted blocks of program information and dummy data 
are securely communicated between an extemal mem- 

35 ory and a cryptographic ASIC in cipher block chains. 
Processing Qf the- program information allows the ASIC 
to derive a key which is used to decrypt digital packets 
of video and audio for subscription television. 
[0134] FIG. 1 is a schematic diagram of a crypto- 

40 graphic key generator/descrambling receiver apparatijs 
in accordance with the present invention. The descram- 
bling receiver, shown generally at 100, includes a 
secure circuit, e.g., an integrated circuit (IC) 105 such 
as an ASIC, and a storage device, e.g., memory 110, 

45 which is external to tiie ASIC 105. The memory 1 10 is 
external to the ASIC 105 since the memory 110 is not 
embedded within ttie ASIC package. For example, the 
memory 1 10 and ASIC 105 may be provided as sepa- 
rate packages on a decoder mothertxjard. 

50 [0135] In eitiier case, tiie memory 110. can be 
Increased or reduced by removing and replacing the 
memory IC. without interfering with or modifying the 
secure circuit 105. Additionally new program informa- 
tion such as patch code may be downloaded to tiie 

55 external memory 110, via a telephone line, satellite link, 
or cable television link, for example. Alternatively, tiie 
program information could be installed locally at the 
descrambling receiver such as via a smart card, or 
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either connected by a socket or soldered to the same 
board. Or, the memory 110, itself could be located in a 
smart card, in which case a new smart card could be 
provided at a relatively low cost to upgrade a decoder. 
Advantageously, this arrangement provides substantial 
benefits by allowing the program information (e.g., soft- 
ware or firmware) which is stored in the external storage 
device 1 1 0, to be easily upgraded or modified to provide 
new features or to fix software problems. 
[0136] For example, the external storage de\^ce 1 10 
can be easily replaced or modified to provide custom- 
ized features for businesses or individuals, or to provide 
specific features to groups according to factors such as 
demographic profile, geographical location, time zone, 
and the like. 

[0137] In contrast, if tiie memory 110 were in ROM 
and internal to tiie ASIC 105, the ASIC would have to be 
replaced altogether, thereby resulting in significant 
costs and delays. The ASIC may be built using 
advanced VLSI processes tiiat use RAM and ROM 
technology to achieve high processing and bit transfer 
rates not only for tiie transfer of program information 
between the ASIC and tiie external memory, but for 
internal execution out of the cache, and for tine 
descrambling of tine digital packets of video and audio. 
The ASIC created out of RAM and ROM technology can 
decrypt a higher bit rate of packetized data than an 
ASIC created out of alternative technologies. The exter- 
nal memory ttius provides the ASIC with greater flexibil- 
ity. 

[01 38] The external storage device 1 1 0 may be a flash 
memory, an erasable programmable read-only memory 
(EPROM), an electrically erasable PROM (EEPROM). 
or a battery-backed volatile memory such as a random 
access memory (RAM). Alternatively, a conventional 
read-only memory (ROM) may be used. 
[0139] An EPROM allows ttie programming in the 
memory to be reversed by exposure to intense ultravio- 
let light. New code may be easily stored in the EPROM 
in a process known as re-burning. An EEPROM is alter- 
able by using a large electric current to reset tiie internal 
memory cells. By using EEPROM or battery backed 
RAM, the external memory may also be used to store 
short term and long term data. The memory space 
could also be partitioned to provide different physical 
devices so that different memory types may be used 
together. On power-up. the non-volatile memory may be 
copied to much faster memory such as synchronous 
dynamic memory. This can reduce latency in the 
read/write operations of the external memory. 
[0140] The external storage device 110 may be 
encrypted using cipher block chains, or using simple 
block chains, may be authenticated and, optionally, 
encrypted. The program information can be used by tiie 
ASIC 105 to decode a scrambled data transmission. 
The program information may comprise lines (e.g., 
strings) of code which are to be executed by a central 
processing unit (CPU) 170 in the ASIC 105. Each line 



refers to an executable command or data used by the 
program. The code may conform to a reduced instruc- 
tion set computer (RISC) architecture, where each line 
of code can be executed in a single chip clock cyde. 

5 [0141] The program information is processed using 
Cipher Block Chaining. The block encryption metiiod is 
ti'iple DES. Three Keys are available for use. One key is 
used with tiie high order address lines. Anotiier key is 
used with the low order address lines. This provides 

10 address-dependent decryption. The third key may be 
unit-dependent. 

[0142] The hashing algorithm can use double feed-for- 
ward hash (DFFH), for example, as described in U.S. 
Patent application serials number 08/577,922, filed 

15 December 22, 1995. The hash is keyed. The key may 
be an XOR of the address and unit key to provkJe both 
address- and unit-dependence to tiie authentication. 
Different hashing algoritiims may be used whereby tiie 
keys could be appended together rather than XORed. 

20 [0143] In the preferred embodiment op-codes gener- 
ated are processed by an instruction decoder 172, Ille- 
gal op-codes can be flagged, by an illegal op-code 
detector 174 in tiie instruction decoder coder 172, witfi 
tiie appropriate action taken. For example, the CPU 170 

25 may send a signal to an alarm circuit 1 62, which in turn 
sends a kill (erase) signal to a storage device 150 which 
may store initialization vectors, decryption keys, and 
authentication keys. 

[0144] With cipher block chaining, any trialing of pro- 
30 gram information, will cause every subsequent block to 
decrypt differently. 

[0145] Furthermore, the address lines of tiie external 
storage device may be scrambled such that sequential 
blocks of the program information are stored non- 
35 sequentially. That is. the bytes, which may each include 
eight bits, for example, can be stored in non-sequential 
address locations of the storage. Thus, tiie external 
storage device 1 1 0 is said to be a scrambled memory. A 
key may be used here as well. A key may be different on 
40 a group or unit basis. 

[01 46] The storage device 1 1 0 also stores authentica- 
tion information for use in securely communicating tiie 
program information to block buffers 130, 132 and 134 
of the ASIC 1 05 via a bus 115. The authentication infor- 
ms mation, also known as check bits, is communicated to a 
check bit block buffer 136 of ttie ASIC 105. 
[0147] Autiientication information is data tiiat is 
appended to a message, e.g., chain of program infor- 
mation, to enable a receiver to verify that the message 
50 should be accepted as authentic. The authentication 
information is a function of the message (e.g., chain) 
contents, such as when a hash value or cryptographic 
checksum is used. A hash value is a fixed length value 
which is obtained by mapping a chain of data of any 
55 length with a public function. In the preferred embodi- 
ment, the hashing is keyed, and tiie authentication infor- 
mation is encrypted under a different key. 
[0148] The program information of the external stor- 
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age device 1 1 0 is communicated via a bus 1 1 5 to one or 
a number N of block buffers, including, for example, 
block buffers 1 30, 1 32 and 1 34. While a plurality of block 
buffers are shown, a minimum of one is required. 
[0149] The encryption/decryption circuit 120 is pro- 
vided to enaypt or decrypt the blocks. The drcuit 120 
may also provide enciphering, for example, when clear 
text data is received by the block buffers or other source, 
and it is desired to encrypt the clear text data. The enci- 
phered data can subsequently be transmitted via the 
buffers to the external storage device 
[0150] An authentication circuit 125 hashes the clear 
text blocks of program information using, for example, 
the above-mentioned DFFH function. The authentica- 
tion can be perform in a concurrent serial fashion as the 
blocks are decrypted. When block 1 is decrypted, it can 
be hashed. When block 2 is decrypted, it can be hashed 
with the output of the hash of the first block, on so on. 
The hashing of the data is keyed such that only knowl- 
edge of a secret or private key can generate the correct 
hash. Alternatively as mentioned above, decryption 
occurs for authentication information, e.g., check bits, 
that, when XORed with the authenticated data (e.g., 
program information), results in a known value that may 
be verified by the hardware. The autiientication circuit 
125 and encryption/decryption circuit 120 can commu- 
nicate with one another, and may share common dr- 
' cuitry, 

[0151] Cipher block chaining may be is used for the 
block chain which is communicated from the external 
storage device to the secure circuit 105. Cipher block 
chaining is discussed in W. Stallinos. Network and Inter- 
network Security. IEEE Press, Englewood Cliffs, New 
Jersey, U.S.A.. pp. 59-61, 1995, incorporated herein by 
reference. Cipher block chaining can be used for both 
encryption and hashing, but in a preferred embodiment, 
it is used simply for robust encryption. A separate hash- 
ing function is used. The block encryption algoritiim 
used with cipher block chaining is triple DES. 
[0152] Chains lengths can vary between 16 and 32 
blocks. Chain lengtiis are, varied on a chain by chain 
basis according to key and address parameters. 
[0153] The sequence order that the blocks are com- 
municated between the memory and the ASIC is ran- 
dom. A random number generator assodated with tiie 
address generator accessed the proper storage loca- 
tions of the blocks in memory. 
[01 54] Authentication information is sent as one of the 
16 to 32 blocks communicated. It can be communicated 
in any sequence. When decrypted, it is compared with 
the hash value. 

[0155] For example, N=16 blocks may be used in the 
cipher block chain, with each block having eight bytes of 
data. Witii cipher block chaining, each encrypted block 
of data depends on the clear text data of tiie current 
block, as well as the clear text data of all preceding 
blocks. Block chaining enhances security since the 
same clear text input will yield different encrypted data 



depending on the other clear text blocks. Additionally, 
the overhead data which is allocated to the authentica- 
tion infbnnation is significantly reduced. If one of the 16 
blocks is devoted to authentication Information, then this 

5 represents only 1/16= .0625 or 6.25% of the program 
information. If N=32, then tfie figure wouW be 1/32 = 
.03125 or 3.13%. In tiie preferred enr^bodiment, ttie 
chain size can vary between 16 and 32. so on average 
tiie figure would be 1/24 = .041 7 or 4. 1 7 %. That is, only 

10 4.17 % of tiie program information is authentication 
information. 

[0156] This could vary if, for example, two blocks 
instead of one block of authentication information were 
provided. There are many possibilities. But, chaining 

15 dramatically lowers the required storage capacity 
needed just for authentication. 
[0157] Chaining also allows tiie use of smaller mem- 
ory components, which greatiy reduces the cost of the 
system, and/or increases system throughput since tfie 

20 amount of authentication information which is accessed 
from the storage device is reduced. Cipher block chain- 
ing is also discussed below in connection witti FIGs 2 
and 3. 

[01 58] A potential disadvantage of dpher block chain- 
25 ing is the latency in insfruction execution when a new 
code segment which has not been decrypted, and 
autiienticated. ahead of time and, perhaps, stored in the 
cache, needs to be accessed. The blocks must be 
decrypted serially since it is not possible to begin 
30 decrypting a block until ttie previous block has been 
decrypted. 

[0159] More-sophisticated hashing functions such as 
message digest (MD) 5, secure hashing algoritiim 
(SHA). and even cipher block chaining could be used. 

35 DFFH was chosen because it is DES based. It is possi- 
ble to use the same hardware that is doing the decryp- 
tion to also do tiie autiientication. The inputs to tiie DES 
engine can be controlled to maximize use of the hard- 
ware. Altiiough one-way functions are desirable, they 

40 are not mandatory since, if the autiientication algoritiim 
uses a secret key, a one-way function is not that much 
better tiian a reversible algorithm such as cipher block 
chaining since any one with knowledge of tiie secret key 
will be able to compute tiie appropriate authentication 

45 information to go along with any program information 
tiiat may be provided. Autiientication using public key 
cryptography is better because knowledge of the secure 
drcuifs private decryption key does not allow a pirate to 
know how to encrypt the hash in the first place. The. 

50 public encryption key must be known. 

[01 60] With either scheme, the bus 1 1 5 may be sized 
to have a bandwidtti which allows at least two lines of 
instructions, or grouped program information, to be car- 
ried at once. Alternatively, the bus 115 may be sized to 

55 carry one full block (e.g., eight bytes) of tiie chain, or 
even two or more full blocks. The bus 115 can also be 
sized to carry one or more entire chains at once. 
[01 61 ] A sequence of blocks which are either autiien- 
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Seated and. optionally, encrypted instructions, e.g., 

blocks Bi, B2 Bn.1, or cipher block encrypted, and 

optionally autiienticated. Encrypted blocks are used 
with cipher block chaining, but are optional with simple 
block chaining. The authentication infonmation is 5 
included in the communication of the program informa- 
tion in a block of check bits, e.g., block B^. 
[01 62] The savings in overhead data with cipher block 
chaining or simple block chaining while maintaining a 
desired security level can be seen as follows. The aver- 10 
age number of trials to break the authentication is 2"'\ 
where the auttientication is n bits in length. To provide a 
sufficient level of security, a authentication should 
reflect to some degree tiie length of the key or keys 
used to encrypt the instructions. Otiienwise. the pirates is 
will attack the weakest component of the system, which 
could be the authentication information itself. That is, 
instead of trialing the key to discover what key the pro- 
gram information was enaypted under, a pirate can trial 
the authentication information and cause tiie CPU to 20 
process synthesized program information. If tiie encryp- 
tion uses a key of at least seven bytes for DES, ttien 
preferably seven or eight bytes, should be used for the 
autiientication information. For example, witii authenti- 
cation information which is seven bytes in length (e.g., 25 
n=56 bits in lengtii), 2^^ trials are required on average, 
which is similar in difficulty to breaking the DES key 
[0163] When an eight byte block of autiientication 
information is appended to an eight byte message 
blocK tiie overhead of the authentication information is 30 
50% (e.g., 8/(8+8)). However, when block chaining is 
used in accordance witii tiie present invention, and a 
seven byte block is appended to a chain of 16 to 32 
eight-byte blocks, for example, the overhead as we dis- 
cussed above is only about 4.17%. witii robust security 35 
Accordingly, block chaining provides a substantial 
reduction in autiientication information overhead while 
maintaining a desired security level. 
[01 64] In a furtiier aspect of tiie present invention, re- 
ordering of the chain which is communicated from the 40 
external storage devifig to tiie ASIC 105 is provided. 
This re-ordering is used in addition to tiie scrambled 
storage of the blocks in tiie storage device, discussed 
below, but it is possible to use the re-ordering by itself. 
By randomly re-ordering tfie blocks in the chain, a pirate 45 
is deterred from detecting information regarding the 
execution sequence of tiie program information in tiie 
processing drcuit. As with byte- and chain-level re- 
ordering, block re-ordering can be done randomly such 
that repeated execution of the same code will fetch data so 
from the external memory in difference sequences each 
time. For example, with byte level re-ordering, if there 
are eight bytes per block, ttiere are 81=40,320 different 
sequences in which the bytes may be ordered. Similarly, 
for block reordering, if tiiere are sixteen blocks per ss 
chain, there are 16!= 2.09x10''^ different sequences in 
which the blocks may be ordered. For chain reordering, 
if there are 4 chains per program information sequence. 



ttiere are 41=24 different sequence in which tiie chains 
may be ordered. And, it is possible to use all ttiree 
togettier. The total number of possible permutations 
would tiien be 40.320 x 2.09x10^^ x 24 = 2.02 x 10^^ 
[0165] It is important to realize that any field can be 
tiie basis for re-ordering and that bytes, blocks and 
chains are arbitrary units for bits. The fields being re- 
ordered could be nibbles. Also, bytes do not have to be 
eight bits, nor blocks 8 bytes, etc. 
[0166] With this in mind, ttie re-ordering operation 
could allow bytes to be re-ordered across two or more 
blocks, blocks across two or more chains, and chains 
across two or more program information sequences. 
Here, we get a different result. For example, witti byte 
level re-ordering, if tiiere are eight bytes per block reor- 
dered over two blocks, there are 161=2.09 x 10^^ differ- 
ent sequences in which the bytes may be ordered. 
[0167] If dpher block chaining is used in conjunction 
with re-ordering, where serial processing of tiie blocks 
is required, multiple block buffers are needed to store ail 
the related fields prior to deciphering. Moreover, as dis- 
cussed further in connection with FIG. 6, if re-ordering 
occurred across two or more chains, then two or more 
chain's wortfi of block buffers would be needed. Re- 
ordering across program information sequences would 
require even more block buffers. Deciphering may be 
delayed until tiie fields associated tiie last block 
sequence are read because, when re-ordered inter- 
nally, tiie last block read may be the first block of tiie 
chain sequence. 

[01 68] Witii cipher block chaining, security is enpha- 
sized. However, simple block chaining, as described 
with ttie XOR hashing function in FIG. 3. avoids latency 
problems and can be used with chain, block, byte or any 
field re-ordering. Regardless of the chain, blodc, byte or 
field order, all of tiie bytes in a block are available to per- 
form the authentication. Additionally when decryption is 
required, each block is decrypted independentiy 
[01 69] Address data provided to the external storage 
device may randomly select fields, bytes, blocks, or 
chains for communication to tfie ASIC 1 05. A block reor- 
dering circuit multiplexer 112 may be provided which 
comnujnicates witti tiie bus 1 15 to reverse tiie re-order- 
ing as necessary for the encryption/decryption circuit 
120 and authentication circuit 125 to perform tiieir func- 
tions. The block reordering circuit multiplexer 112. 
address generator 160. and address scrambler 164 
may communicate witti each other, and with tiie CPU 
170 as required, to coordinate the re-ordering steps. 
The address generator 160 may be responsive to a ran- 
dom number generator 166. The random number gen- 
erator 166 can provide random or pseudo-random 
sequence permutations for tfie fields of a chain or 
chains which need not conform to any algorithm embod- 
ied in the hardware. 

[0170] Chain, block, byte, and field level sequence 
scrambling is generally applicable to virtually any 
scheme where blocks of data are communicated from a 
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memory, to a secure circuit for processing. As men- 
tioned above, scrambling the order of bytes or sub-fields 
within each block does not affect decryption latency 
since all of the bytes must be assembled before authen- 
tication and decryption can begin. However, the re- 
ordering confuses a pirate as to which cipher text corre- 
sponds to which instruction or other data block. It also 
confuses a pirate as to the structure, sequence, and 
organization of the program information in the storage 
device. 

[0171] In the preferred embodiment, an entire eight 
byte block is read in by the secure circuit 105, the order 
that the first byte is read relative to other bytes would 
change from block to blocK and could change randomly 
each time the storage device is accessed. But when re- 
arranged within the secure circuit, there is only one 
proper sequence for a block that must undergo decryp- 
tion. For cipher block chaining, this has the advantage 
of not requiring more than one block buffer, since it has 
the bytes of an individual block being re-ordered, but it 
narrows the ot>fuscation to an even smaller period of 
time. The external storage device can be rearranged or 
sorted prior to loading the individual bytes into the block 
buffer. 

[0172] In a further aspect of the present invention, the 
blocks of a chains are written t>ack out into the storage 
device in a new pattern. Each random reading of the 
storage device is followed by a corresponding writing of 
the data back out in a different random sequence. Asso- 
ciated with each chain is a memory device which stores 
the current underlying ordering sequence of the chain. 
The re-ordering can be random. 
[0173] Dummy data may also be communicated 
between the storage device 110 and the secure circuit 
105. The dummy data may be chaff which is stored by 
the storage device 110. This is data which never gets 
processed by the secure circuit, but it may be optionally 
used as filler, and be deaypted and optionally authenti- 
cated by the secure circuit. It is easy to generate chaff. 
One simply performs a branching or jump operation 
immediately preceding the chaff. If no calls, branches, 
or jumps are ever made to that location where the chaff 
is. then that chaff will never be executed. The dummy 
data may be real program information for other chains 
and instruction sequences tiiat may be accessed at a 
later time and under different situations. Like chaff, this 
data may be optionally used as filler, and be decrypted 
and optionally authenticated with the otiier program 
information. But tiiis data does not get processed by the 
secure circuit. The superfluous data confuses the pirate 
attempting to analyze the authenticated program infor- 
mation. 

[01 74] One of the best ways to communicate dummy 
data is tiirough variable length chains. The actual 
number of blocks communicated could remain tiie same 
while the number of dummy blocks changed. Witii re- 
ordering of blocks it would be hard for a pirate to deter- 
mine which blocks might be the dummy ones. The 



dummy blocks in the preferred embodiment would actu- 
ally be data which is never processed. 
[0175] The external storage device 110 may be 
encrypted such that the blocks of program information. 

5 and authentication information are stored in non- 
sequential address location in the storage device. It 
would be preferable to include the high order address 
bits in encryption of tiie storage device so that any block 
of program information may be located anywhere in tiie 

10 memory space. Substitution tables (S-taWes) can be 
used to eliminate regularity and add non-linearity in tiie 
address encryption. 

[0176] Specifically, tiie autiienticated block chained 
external storage device is encrypted so tiiat the execu- 
15 tion of tiie cryptographic code can be concealed from a 
pirate who is observing tiie storage devices accesses 
on the communication path 113. A pirate may be pre- 
vented from leaming about tiie proprietary algorithms 
being executed. Encrypting may therefore prevent a 
20 pirate from ascertaining the contents of tfie storage 
device, and from systematically attacking tiie secure cir- 
cuit 105 through other means with tiie hardware. 
Encryption of tiie storage device prevents the pirate 
from knowing exactiy which encrypted program infor- 
ms mation is the likely target for attack. By knowing exactiy 
which program information could make tiie system vul- 
nerable to a security breach, the pirate might focus on 
upsetting the processing of that program information. 
[01 77] If address scrambling and data encryption and 
30 autiientication were used alone. e.g.. witiiout data re- 
ordering, only one k)lock buffer is required in a minimal 
implementation. 

[0178] Scrambling can be accomplished by using an 
address generator which is associated with the secure 

35 circuit 105 to provide addressing information to tiie 
external storage device. A number, possibly a random 
one, may be provided to change the sequence in which 
tfie program information is communicated. The 
sequence information is used to multiplex tiie appropri- 

40 ate field, byte or block buffer to communicate with tiie 
appropriate byte or block at tiie right time. Individual 
strings of sub-fields, bytes or blocks of data from tiie 
external storage device are tfien transferred to the block 
buffers in a desired sequence according to the address- 

45 ing information. The addressing information is provided 
to the autiientication and deciphering circuits to allow 
these circuits to descrambie the data to function accord- 
ingly 

[0179] Various block encryption algoritiims, such as 
50 ti'iple DES, may be used. Furthermore, tiie scrambling 
algorithm may use the same substitution box (S-box) 
tables as DES but with fewer rounds. The number of 
rounds may be selectable for different applications, 
such tiiat an application requiring less security uses 
55 fewer rounds, while one requiring more security might 
use tiie entire sixteen rounds that DES calls out Reduc- 
ing the number of rounds reduces tiie latency of the 
decryption operation. 
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[0180] Address-dependent decryption and authenti- 
cation of the program information can prevent a pirate 
from moving othenwise properly encrypted and authen- 
ticated block chains around in storage device to get the 
decoder to process program information out of 5 
sequence. Such out-of-sequence processing could 
cause the descrambling receiver to improperly grant 
access to and descramble a data transmission. 
[0181] If possible, the key used for encryption and 
decryption and/or authentication should have both 10 
address dependent scrambling and unit key depend- 
ence. The unit key is a key tiiat is unique to each 
decoder and may depend on, for example, the decoder 
serial number which is provided at the time of manufac- 
ture. Thus, it is desirable for the key to depend on Indi- is 
vidual units, or groups of individual units. OthenAfise. it 
may be possible for a pirate to read the scrambled key 
data In the external storage device from one unit, and 
then place that same scrambled key into another unit's 
external storage device. This might be a way for a pirate 20 
to clone authorization to services between units and 
must be prevented. 

[0182] Address dependent scrambling and unit key 
dependence also prevents knowledge of a key used to 
autiienticate and/or scramble a block of program infer- 2s 
mation in one decoder to be used in another decoder. 
For example, witiiout unit dependence, if this secret key 
is discovered through VLSI probing, for instance, tiien it 
can be used to correctiy authenticate and decrypt pro- 
gram information for otiier decoders. In otiier words, if a 30 
key or keys were useful for more than one unit, a pirate 
might then be able to use the key or keys obtained from 
one unit to eitiier encrypt, encrypt and autiienticate, or 
authenticate program information for another unit. To 
achieve unit-dependent scrambling, a download proc- 35 
ess using an optional on-chip enciphering circuit may be 
used to load external flash, EPROM. battery-backed 
RAM, or mass storage device at unit creation time. This 
enciphering drcuit may be the same one used to allow 
for bi-directional read/write capability between the 40 
secure circuit and tiie. storage device. An alternative 
would be to have tiiese external storage devices loaded 
by the configuration system at unit creation time using 
knowledge of the unifs secret or private key or keys. 
[01 83] FIG. 2 is a scliematic representation of a cipher 45 
block chaining encryption scheme in accordance with 
the present invention. Blocks of clear text program infor- 
mation are converted to a chain comprising blocks of 
encrypted program information which includes the 
authentication information. In tiie example shown, each so 
encrypted block of program information depends on the 
clear text program information of the current block as 
well as tiie clear text program information of a previous 
block. 

[0184] An authentication circuit 203 and an encryption ss 
circuit 200 are shown. Specifically, ttie authentication 
circuit 203 includes hashing functions 204, 206 and 208 
and an adder 214. Functions 204, 206 and 208 may use 



tfie DFFH function discussed above or virtually any 
hashing function. A key is successively hashed at the 
functions 204, 206 and 208 to provide a hash value to 
the adder 214. The adder 214 also receives a zero or 
other value which is known by the hardware to provide 
an output value to the enayption circuit 200, which may 
include a triple DES encrypt function represented by 
encrypt functions 218, 222 and 224. 
[0185] Enaypt function 218 receives a secret key 
which is an XOR of low onjer address bits and a key 
Dk6. while the encrypt function 222 receives a seaet 
key which is an XOR of high order address bits and a 
key Dk5, and the encrypt function 224 receives a seaet 
key which is an XOR of a unit key and a key D^e. An 
adder 226 receives an output from the encrypt function 
224 along witfi tiie clear text block A^.^ and provides the 
dpher text authentication block B^. The adder 226 
essentially hashes the clear text data. 
[0186] Clear text blocks Ai,.... A^.^, which may 
include program information for descrambling a data 
transmission, are received by the respective triple-key 
encryption functions, and are also provkJed for XORing 
of ttie subsequent cipher text block. For example, A^ is 
processed by encrypt functions 228, 232 and 234, 
which are each responsive to keys as shown. An adder 
236 receives the output from the encrypt function 234 
along with an initialization vector (IV) to provide the 
dpher text. block B^. 

[0187] A2 is processed by encrypt functions 242, 244 
and 246. which are each responsive to keys as shown. 
An adder 248 receives the output from the encirypt func- 
tion 246 along with the clear text block A^ to provide tiie 
dpher text block Bg. Thus, Bg is a function of both A^ 
and A2. Likewise, An.^ is processed by encrypt func- 
tions 252, 254 and 256, which are each responsive to 
keys as shown. An adder 258 receives the output from 
tfie encrypt function 256 along witii the clear text block 
An.2 to provide the dpher text block B^.^. 
[0188] The IV may be zero, or a function of tiie 
address data or unit key which is provided to the block 
re-ordering circuit 1 12 or other randomizing function. A 
block size of eight bytes is assumed for this example. 
Moreover, although triple DES is illustrated using ttiree 
different keys for each DES operation, fewer or more 
keys may be used. More keys may be introduced into a 
DES operation by splitting up the rounds to use different 
keys instead of a single key. 

[01 89] Additional keys may be used for the encryption 
functions, and additional and/or alternative encryption 
steps may be taken. Preferably, each of tfie cipher text 
block encrypt functions use the same encryption algo- 
rithm, although this is not required. 
[0190] The N encrypted blocks. B^ tiirough B^, may 
be provided to a further encrypt function, such as block 
re-ordering circuit mux 112 of FIG. 1. which performs a 
block-wise scrambling of the N blocks according to an 
address data signal. For example, witii N=8 blocks, the 
blocks may be stored in sequential addresses of tiie 
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external storage device 1 10 in the order: B^, B3, Bg, B5, 
B4. Be. Be, B7. The blocks are said to be stored in a ran- 
dom or non-sequential manner since they are not stored 
in successive addresses of the storage device. 
[0191] With the temporal re-ordering scheme dis- 5 
cussed above, the blocks may subsequently be trans- 
mitted to the block buffers in another sequence, for 
example, B5, B3, B2. Bg. B4, B7, Bg. B^ , which differs 
from both the order that the blocks were provided to the 
re-ordering circuit 112 as well as the storage sequence. 10 
[0192] The authentication and encryption functions 
and assodated elements need not be collocated with 
the external storage device 110. That is. the encryption 
circuit 200 may be located at a cable television system 
headend, or a satellite uplink, while the storage device 15 
is part of a desaambling receiver in a consumer's 
home. The authenticated and/or encrypted program 
inforriiation can be provided to the memory 1 10 via any 
convenient channel, for example, such as via a tele- 
phone, satellite, cable television linK or computer net- 20 
work. The authenticated and/or encrypted program 
information may also be installed locally via a smart 
card, or the storage device 1 10 itself may be pre-loaded 
witii tile encrypted program information prior to the 
installation and initialization in the descrambling 25 
receiver. 

[0193] Referring again to the descrambling receiver 
- 1 00 of FIG. 1 . address data used by tfie address scram- 
bler 164 can be stored in an address generator 160 of 
the ASIC 105. The address data is provided to the 30 
external memory 1 10 via a path 165 so that tfie scram- 
bled blocks of encrypted instructions can be read out in 

a desired sequence (e.g.. B^, Bg B^,). In particular, 

blocks which comprise a chain may be read out non- 
sequentially from the memory 1 1 0 to provide tiie blocks 35 
in the unscrambled sequence via line 113. Optionally, 
the blocks may be transmitted from the external storage 
device 110. to the secure circuit 105, in ttie saambled 
or random time sequence and descrambled at tiie ASIC 
105 using the block reordering circuit multiplexer 112. 40 
The address data may alsQj)e used by tiie external stor- 
age device 110. to transmit different block chains in a 
scrambled (e.g., non-sequential order) manner. 
[01 94] The address data and the encrypted blocks B^ 
through Bf^ of successive .cipher block chains are pro- 45 
vided to an encryption/decryption circuit 120 and 
autinentication circuit 125 of the ASIC 105. The encryp- 
tion/decryption circuit 120 uses the address data to 
unsaamble the cipher block chain sequence as 
required. Re-ordering may also occur at tiie block reor- so 
dering circuit multiplexer 112. The encryption/decryp- 
tion circuit 120 also receives the seaet decryption key 
from a decryption key memory 150 of tiie ASIC 105. 
and performs a decryption algorithm which is the 
inverse of that used to provide the encrypted blocks. 55 
The decryption process is discussed immediately below 
and also in connection with FIG. 3. 
[0195] Witii the block chaining scheme, the blocks B^ 



tiirough Bf^ of each chain must be decrypted in succes- 
sioa That is. B^ is first decrypted, then the result is used 
in decrypting B2. and so on. Once blocks B^ tiirough Bfj. 
1 have been deaypted, the authentication trfock, B^. 
can be decrypted, and the autiientication information 
(e.g., checksum or hash) can be calculated by the 
authentication circuit 125 to autiienticate tfie chain. The 
correct autiientication information may be pre-stored 
within the autiientication drcuit 125 and compared to 
ttie calculated autiientication information to provide tiie 
necessary verification. Rnally, lines of dear text (e.g.. 
decrypted) program infbmiation are obtained and pro- 
vided to the cache 140. 

[0196] For secure communication between an exter- 
nal storage device 1 10, and the secure drcuit 105, ttie 
outgoing program information from the secure drcuit to 
ttie storage device must also be authenticated and/or 
encrypted. Thus, to change a byte or string of data in 
tiie external storage device 110. tiie entire block and 
block chain must be read into the ASIC, the change 
made, and then the proper authentication information 
may be calculated. After the authentication information 
is calculated, tiie newly encrypted trfock information and 
changed authentication information are written out, for 
example, using simple block chaining. The program 
information may be written back to the storage device in 
a different underlying sequence than it was fetched. 
[01 97] The un-modif ied blocks do not need to be writ- 
ten out unless the location in tiie storage has dianged. 
With cipher block chaining, changing one block of data 
can change subsequent blocks in a chain. Those 
affected blocks would need to be written out as well. 
[0198] There are instances when the secure circuit 
needs to communicate to tiie outside world in a clear 
mode, e.g., for printers, error messages, display pur- 
poses, and tiie like.. Therefore, ttie encryption/deayp- 
tion drcuit 120 and/or verification/authentication circuit 
125 should have a disable nrode whereby program 
information may be communicated and conditionally 
bypassed. In such a mode, program information may 
not be communicated in ertfier a block or a chain since 
ttiere would not be a requirement for either encryption 
or autiientication. Such a mode may also be useful for 
debug and testing of the system. 
[0199] Different chain lengtiis may be used for com- 
municating different types of program information from 
the storage device. Program information requiring less 
latency can have smaller chain lengths. Program infor- 
mation that can tolerate more latency can have longer 
chain length, thereby saving on the storage of the corre- 
sponding autiientication information. Thus, the length of 
each chain can be set according to tiie processing 
latency of tiie program information of the respective 
chains. 

[0200] For example, it may be possible to have only 
two k>locks of program information in the chain, one for 
the data and one for the authentication information. 
Although an entire chain of program information must 
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be fetched and decrypted first to change even a single 
byte, a change in data does not have to be wttten out to 
the external storage device immediately Data may be 
stored internally, such as in the cache 140, until such 
time that the external storage device needs to be 
updated. At that time, the ASIC must write the entire 
chain with the modification back out to the external stor- 
age device. 

[0201] Referring again to the encryption/decryption 
circuit 120. the decrypted program information is pro- 
vided to a cache 140 for temporary storage, and to a 
CPU 170 for execution. The program information may 
be used to decode a scrambled data transmission using 
additional processing hardware or software and steps 
which are not shown, but which are well known in the 
art. 

[0202] The cache 1 40 is a RAM which provides a buff- 
ering capability witii a relatively high-speed access, and 
may be sized to store a substantial amount of data. The 
cache 140 may store thousands of bytes, which corre- 
sponds to the size of the instructions and operation data 
of many block chains. The CPU may execute program 
information from a first cipher block chain while the 
encryption/decryption circuit 120 is decrypting blocks 
from a second, subsequent cipher block chain. The sec- 
ond chain may follow the first chain directiy, or may be 
separated from the first chain by one or more intermedi- 
ate chains. Thus, system throughput may be inrproved 
due to the overlapping activity of the authentication cir- 
cuit, deciphering circuit and the CPU. Generally, 
although the execution time of tiie program information 
in the CPU will typically be faster than the decryption 
time in the encryption/decryption circuit 120, efficien- 
cies can be achieved by coordinating the deciphering 
and execution activities, and optimizing the number of 
rounds used in the encryption/decryption algorithm. 
[0203] Additional effidencies may be realized by writ- 
ing the program information, e.g. instructions, which are 
executed by the CPU to conform to the block chain 
transfer scheme. In particular, the amount of prograrh 
information in lines of^the instructions can conform to 
the block size and the number of blocks in a chain. For 
example, lines of instructions should be carried in full in 
a block chain rather than being split into two chains to 
avoid waiting for a second block chain to be decoded to 
recover the remainder of a line. An instruction is typi- 
cally only a few bytes long (e.g.. 1-4 bytes), so a chain 
of blocks will typically include several instructions. 
[0204] The cache 140 can optionally receive a signal 
from the address generator 160 to coordinate the stor- 
ing and transferring of program information to the CPU 
170. For example, the signal may inform the cache 140 
that additional block chains are being sent to the Ixjffers, 
authentication circuit 125 and encryption/decryption cir- 
cuit 120. so tiiat additional executable program informa- 
tion will be received by the cache 140. 
[0205] One or more registers 180 may be provided 
which interface with the cache 140 and CPU 170. Also, 



a small internal ROM can be used to store boot-up or 
other program information which may be required in the 
ASIC 105. 

[0206] FIG. 3 is a schematic representation of a cipher 
5 block chaining decryption scheme in accordance with 
the present invention. The scheme shown is the coun- 
terpart of the encryption scheme of FIG. 2. Re-ordering 
is performed when required to obtain the fields in the 
desired sequence for decrypting. An authentication cir- 
10 cuit 303 and decryption drcuit 300 are provided. At the 

decryption circuit, each of the cipher text blocks 

B|sj are decrypted. 

[0207] Rrst, tiie respective cipher text blocks are 
XORed vwth the prior decrypted clear text block a an 

75 initialization vector. Specifically, and the IV used dur- 
ing encryption are received at an adder 320 to provide 
an output to a triple DES decryption function, including 
decrypt functions 322, 324 and 326. The clear text block 
A^ is output from decrypt function 326 and provided to 

20 an adder 330 and a hash function 304. At the hash func- 
tion 304, A^ and a key are hashed to provide an output 
to successive hash functions 306 and 308. and an 
adder 310. 

[0208] Tiie adder 330 receives A^ and 82 to provide 

25 an output to decrypt functions 332, 334 and 336 to pro- 
vide the dear text block A2. Similarly, an adder 340 
receives and Bf^.^ to provide an output to decrypt 
functions 342, 344 and 346 to provide the clear text 
block An^v An adder 350 receives the authentication 

30 block Bn as well as Af^.i to provide a value to decrypt 
functions 352, 354 and 356. The output of decrypt func- 
tion 356 is provided to an adder 310 along with a hash 
value from hash function 308 to produce an output of 
either one or zero. If tiie output is zero, then the autiien- 

35 tication value is valid since it matches the hash value, 
and an enable signal is set to allow processing to con- 
tinue. However, if the output of the adder 310 is one, 
then the authentication value is not valid, and an alarm 
state may be initiated at the alarm drcuit 162 to provide 

40 a kill (erase) signal for partial or full erasure of the con- 
tents of the key storage device 150. 
[0209] When block re-ordering is used, a pirate 
attempting to trial program information and the autiien- 
tication information value will likely create invalid op- 

45 codes. Invalid op-codes are hex data instructions for 
which there is no corresponding action. Various options 
exist for handling an authentication value or op-code 
that does not check out. One possibility is to perform a 
reset of tiie secure drcuit, which would require the 

so pirate to reconfigure and re-initialize the ASIC for 
another attack. 

[021 0] Another possibility is to cause the processor in 
the ASIC to jump to an infinite "no operation" (NOP) 
loop. This is a state where the ASIC performs no sub- 
55 stantial operation, requiring the pirate to first detect the 
NOP operation, then force a reset himself, and reconfig- 
ure, and re-initialize the ASIC for anotiier attack. Or, tiie 
number of mismatches between the pre-stored value 
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and the decrypted value may be counted such that one 
or all of the stored keys are erased when a threshold 
nunriber of mismatches are detected. These keys could 
be sensitive keys whereby knowledge in the outside 
world could pose a major security breach. Their erasure 5 
would cause a permanent malfunction of an othenMse 
good unit 

[021 1 ] Another possible countermeasure is to erase a 
temporary key, such as one of the delivered keys, rather 
than a key which is loaded at unit initialization, or crea- 10 
tion time. This forces the pirate to contact the network 
service provider for re-authorization, thereby potentially 
exposing the pirate. In the preferred embodiment 
emphasizing security, all of the keys would be erased. 
[021 2] FIG. 4 is a schematic representation of a sim- 75 
pie block chaining encryption scheme in accordance 
with the present invention. As discussed above, this 
configuration can avoid latency problems which are 
characteristic of the cipher block chaining technique of 
FIGs 2 and 3. Encryption of all clear text blocks may be 20 
carried out independently and substantially in parallel. 
Encryption and decryption of the authentication infor- 
mation depends on the clear text blocks. The simple 
block encryption technique may have greater suscepti- 
bility to some trialing attacks by pirates, however, since 25 
the modification of a block will not affect other blocks, 
other than the authentication information. 
[0213] An authentication circuit 403 and encryption 
circuit 400 are provided. Blocks of clear text program 

information Ai, A2 A|g are processed to provide cor- 30 

responding blocks of cipher text, B^, B2 B^, respec- 
tively One of the cipher text blocks, designated 
generically as Bj, is an authentication block, and can 
assume any position among the other cipher text blocks 
(e.g., 1^i^N). 35 
[0214] At the enayption circuit 400, block A^ is 
encrypted at a function 402 to provide block B^ , block A2 
is encrypted at a function 404 to provide block B2, block 
Ajv|.i is encrypted at a function 408 to provide block B|s|. 
t , and block is encrypted at a function 41 0 to provide 40 
block B|s|. Additionally, each of the dear text blocks is 
provide to an adder 41 2 in the authentication circuit 403 
to provide a value to an encrypt function 406 to produce 
a dpher text autiientication block, Bj. Bj can be the first 
block B^ . the last block B^^or any t)lock in between. The 45 
adder 412 also receives a zero or other value which is 
known by tiie hardware. 

[0215] Each of the enaypt functions for the non- 
authentication blocks, e.g., functions 402, 404, 408 and 
410, may operate under the same key K-|, which is so 
obtained by XORing a unit key, high order address bits, 
a secret key Dki and low order address bits. The 
encryption function for tiie authentication block, e.g., 
function 406 may operate under a different key, K2. 
which Is obtained using a secret key 0^2- The 55 
encrypted blocks can be provided to the block re-order- 
ing circuit, as discussed previously. 
[0216] In accordance witii the present invention. 



authentication information is derived from the dear text 
blocks by providing an adder 412 which takes the XOR 

of the dear text blocks A^, A2 A^ and, optionally, a 

pre-stored value. The output of the adder 412 is subse- 
quentiy encrypted at the function 406 to provide the 
encrypted authentication block Bj. Virtually any hash 
function may be used instead of, or in addition to, tiie 
adder 412. Moreover, it is not necessary for each dear 
text block to be input to the adder 412. 
[0217] FIG. 5 is a schematic representation of a sim- 
ple block chaining decryption scheme in accordance 
witii the present invention. The decryptor is the counter- 
part of the encryptor of FIG. 4. Re-ordering is performed 
when required to obtain the blocks in tiie desired 
sequence for decrypting. 

[021 8] A decryption drcuit 500 and authentication cir- 
cuit 503 are provided. Decrypt functions 502. 504, 508 
and 510 use a key as shown to decrypt c^5her text 
blocks Bi, B2, B|si.i and B|sj, respectively, to provide the 
dear text blocks A^. A2, An-i ^ A^. The cipher text 
authentication block Bj is decrypted at a function 506 
using a different key. The outputs from each of tiie 
decrypt functions is provided to an adder 512 to provide 
a hash value which, in turn, is summed at an adder 514 
with a pre-stored hardware value. 
[021 9] If the output of tiie adder 51 4 is zero, tiien the 
hash value and hardware value are the same, and the 
authentication data is verified, and subsequent process- 
ing is enabled. However, if the output of the adder 51 4 is 
one. th^ the hash value and hardware value are differ- 
ent, and tiie authentication data is not verified, so an 
alarm state is set. 

[0220] FIG. 6 is a schematic diagram of an alternative 
cryptographic key generator/descrambling receiver 
apparatijs in accordance with tiie present invention. 
Like-numbered elements correspond to the elements of 
FIG. 1. The receiver, shown generally at 600, indudes 
chain block buffers 1 30, 1 32 and 1 34 which are used for 
tiie first, second and Nth blocks, respectively, of a first 
chain, and block buffers 630, 632 and 634 which are 
used for tiie first, second and ^/lth blocks, respectively, 
of a second chain. Witii tiiis scheme, two or more blocks 
(one from each chain) can be communicated over line 
1 13 at ttie same time. Moreover, additional block buffers 
may be provided to store data from more tfian two 
chains. Each chain can have the same or different 
lengths. 

[0221] The encryption/decryption circuit 120 and 
authentication circuit 125 process chain 1, while tiie 
encryption/decryption circuit 620 and authentication cir- 
cuit 625 process chain 2. The data from the key storage 
device 150 may be provided to tiie circuits 120. 125. 
620 and 625 as required for each of tiie chains. Moreo- 
ver, although shown as separate elements, the autiien- 
tication drcuit 125 and encryption/decryption circuit 120 
may share common circuitry witii the authentication cir- 
cuit 625 and encryption/decryption circuit 620. 
[0222] The embodiment of FIG. 6 allows for re-order- 
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rng across two or more chains when cipher block chain- 
ing is used. As discussed, when cipher block chaining is 
used, each block in a chain nnust be tenporarily stored 
to recover the authentication block. The receiver 600 
can therefore provide parallel processing of two of more 5 
cipher block chains, chain-wise re-ordering, or block- 
wise re-ordering across two or more chains. 
[0223] Accordingly, it can be seen ttiat the present 
invention provides an apparatus for descrambling a 
scrambled data transmission by transferring authenti- 10 
cated and, optionally, encrypted program information 
from an external storage device to a secure circuit in a 
simple btock chain. Enaypted and optionally authenti- 
cated program information is also transferred from the 
external storage device to the secure circuit in the is 
cipher block chain. The scheme allows upgrades and 
other changes to descrambling instructions to be easily 
made witiiout modifying the secure circuit 
[0224] Additionally, the use of block chaining improves 
system tiiroughput and reduces system cost by reduc- 20 
ing authentication information overhead. Further effi- 
ciencies are obtained by pirovkiing a cache to transfer 
two or more lines of decrypted or autiienticated program 
information to the CPU in a single dock cycle, and by 
managing tiie timing of block deciphering witii tiie trans- 25 
fer of decrypted data to the cache and the CPU. 
[0225] An alternative embodiment of the invention 
uses simple block encryption instead of cipher block 
chaining. VWi tiiis scheme, tiie blocks of ttie chain are 
autiienticated by using a large authentication field as 30 
with the cipher block chaining. However, the chain of 
blocks may be decrypted and authenticated substan- 
tially in parallel rather than serially. 
[0226] Re-ordering of tiie block chain using any field 
such as byte, block, and/or chain level is also provided, 35 
in addition to scrambled address storage at the external 
storage device. 

[0227] Additionally, a bi-directional capability may be 
provided to allow program information to be transferred 
from the secure circuit to the external storage device. 40 
The program information need not be encrypted but 
only authenticated for security. 
[0228] Altiiough tiie invention has been desaibed in 
connection with various specific embodiments, tiiose 
skilled in the art will appreciate that numerous adapta- 45 
tions and oKxJifications may be made tiiereto without 
departing from tiie spirit and scope of tiie Invention as 
set forth in the claims. 

[0229] For example, tiie invention is particularly suita- 
ble for deterring the copying and reverse engineering of so 
proprietary software algorithms, and for securing cryp- 
tographic applications such as the descrambling of data 
transmissions such pay-TV programs to prevent unau- 
thorized users from receiving television broadcasts. The 
invention is equally useful in other applications, includ- ss 
ing terminals and smart cards for electronic funds trans- 
actions, premises access control, electronic games, 
commodities and stock data used by traders, data which 



is transferred via the Internet or other computer net- 
works, and so forth. 

[0230] Moreover, tiie invention is conpatible witii 
alternative encryption schemes such as a stream 
dpher, or a combination of botii a sti-eam cipher and 
dpher block chaining such as the Common Scrambling 
Algorithm (CSA). 

[0231 ] Another such scheme is piilic key encryption. 
Because each Uock and chain is relatively small com- 
pared to tiie modulus sizes of say ttie RSA Public Key 
system which can have sizes of 2048 bits (256 eight bit 
bytes),it Is possible to use RSA to encrypt one or more 
program information chains. If ttie RSA public key sys- 
tem were used, ttien it may be preferable to use an 
unbalanced exponent pair whereby the decryption pri- 
vate exponent was small, for exanrple, equal to tiiree^ 
That woukJ fower program information latency After 
decryption, the autiientication information could be 
checked as in the block encryption techniques 
described above and decrypted and checked, or simply 
checked. This makes it difficult to set the decrypted 
authentication value. And, as mentioned above, a com- 
bination of a secret key and a public key can be used. 

Claims 

1. An apparatus for processing program information, 
comprising: 

a secure drcurt including a central processing 
unit (CPU) and at least one block buffer for stor- 
ing at least one block of the program Informa- 
tion; 

an extemal storage device which is adapted to 
store the program information extemal to said 
secure circuit; 

a first communication patii which is adapted to 
communicate a group of blocks of sad program 
information from said external storage device 
to said at least one block buffer in a first block 
chain; and 

a second communication path which is 
adapted to communicate the program Informa- 
tion from the at least one block buffer to the 
CPU for processing tfierein. 

2. The apparatus of claim 1, wherein: said secure cir- 
cuit comprises an autiientication circuit for authen- 
ticating said program information. 

3. The apparatus of claim 2, wherein: said block chain 
is a simple block chain such tiiat said group of 
blocks in said first block chain are processed sub- 
stantially in parallel by said autiientication circuit. 

4. The apparatus of claim 2 or 3. wherein: 

said first block chain and a subsequent second 
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block chain of said program informatidn are 
communicated between the external storage 
device and said at least one block buffer; and 
said authentication drcuit is adapted to authen- 
ticate at least a portion of the program infomia- s 
tion of said first block chain while at least a 
portion of said second block chain is being 
communicated over said first communication 
path. 

10 

The apparatus of one of claims 2 to 4. wherein: 

said first communication path is adapted to 
communicate blocks of program information 
from said storage device to said at least one is 
buffer in a second chain; and 
said authentication drcuit is adapted to authen- 
ticate program infomiation from at least a por- 
tion of said first block chain and at least a 
portion of said second chain substantially con- 20 
currently. 

The apparatus of one of claims 2 to 5, further com- 
prising: 



25 

a cache arranged in said second communica- 
tion patii which is adapted to temporarily store 
tiie authenticated program information before 
tiie authenticated program information is pro- 
vided to said CPU. 30 

The apparatus of one of the preceding daims, fur- 
ther comprising: 

means for detecting an illegal operational code 35 
in tiie program information. 

The apparatus of one of the preceding claims, 
wherein: 

40 

at least part of^said program information is 
hashed to provide said block chain. 

The apparatus of one of the preceding daims, fur- 
ther comprising: 45 

address generating means for providing 
addressing information to the external storage 
device for communicating said blocks of pro- 
gram information from tiie external storage so 
device to said at least one block buffer in a 
desired sequence. 

The apparatus of one of the preceding claims, 
wherein said program information comprises a plu- ss 
rality of strings which are to be processed in suc- 
cession by said CPU. 



11. The apparatus of one of the preceding claims, 
wherein:' 

said blocks of program information are stored 
in the external storage device in scrambled 
storage locations. 

12. The apparatus of one of tiie preceding claims, 
wherein: 

chains of said program information witfi sub- 
stantially randomly varying lengtiis are commu- 
nicated from tiie external storage device to said 
at least one block buffer. 

13. The apparatus of claim 12. further comprising: 

address generating means for providing 
addressing information to the external storage 
device for communicating said blocks of pro- 
gram information from tiie external storage 
device to said at least one block txiffer in a 
desired sequence; wherein: 
the substantially randomly varying lengths are 
determined according to said addressing infor- 
mation. 

14. The apparatus of one of tfie preceding claims, fur- 
tiier comprising: 

means for providing a substantially random 
block-wise reordering of said first block chain, 
and substantially random re-ordering of a block 
of said first block chain to communicate a re- 
ordered chain from tiie external storage device 
to said at least one block buffer. 

15. The apparatus of one of tiie preceding daims, 
wherein: 

units of said program information are communi- 
cated from the external storage device to said 
at least one block t>uffer using substantially 
randomly varying sequences. 

16. The apparatus of claim 15, wherein said units of 
program information comprise block chains. 

17. The apparatus of one of ttie preceding claims, 
wherein: 

a plurality of program information is communi- 
cated from the external storage device to said 
secure circuit in units of varying length; and 
the length of each unit is determined according 
to a processing latency of tiie associated pro- 
gram information of tiie respective units. 
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18. The apparatus of one of the preceding claims, 
wherein: 

said program information comprises dummy 
data which is not processed by the CPU. s 

19. The apparatus of one of the preceding claims, 
wherein: 

said program information stored in the external io 
storage device is encrypted; 
said secure circuit comprises a decryption cir- 
cuit which is responsive to said at least one 
block buffer for decrypting the encrypted pro- 
gram information; and is 
said second comnuinication path is adapted to 
communicate the decrypted program infonna- 
tion from the decryption circuit to the CPU for 
processing therein. 

20 

20. The apparatus of daim 19> wherein: said first block 
chain and a subsequent second block chain of said 
program information are communicated between 
the external storage device and said at least one 
block buffer; and 2S 

said decryption circuit is adapted to decrypt at 
least a portion of the program information of 
said first block chain while at least a portion of 
said second block chain is being communi- so 
cated over said first communication patii. 

21. The apparatus of daim 19 or 20, wherein: 

said first communication patii is adapted to 35 
communicate blocks of program information 
from said storage device to said at least one 
buffer in a second chain; and 
said deayption circuit is adapted to decrypt 
program information from at least a portion of 40 
said first block chain and at least a portion of 
said second cfiain substantially concurrentiy 

22. The apparatus of one of claims 19 to 21, furtiier 
comprising: 45 

a cache aaanged in said second communica- 
tion patii which is adapted to temporarily store 
the decrypted program information before the 
decrypted program information is provided to so 
said CPU. 

23. The apparatus of one of claims 19 to 22. wherein: 

said first block chain is a cipher block chain. ss 

24. The apparatus of one of the preceding daims. fur- 
ther comprising: 



a' communication patfi which is adapted to 
communicate a group of blocks of program 
information from said secure drcuit to said 
external storage device in a second block 
chain. 

25. The apparatus of claim 24. furtiier comprising: 

an encryption drcuit for encrypting the program 
information for the second block chain. 

26. The apparatus of claim 25, wherein said encryption 
drcuit is conditionally responsive to address infor- 
mation to allow a clear mode for the program infor- 
mation for ttie second block chain. 

27. The apparatus of one of claims 24 to 26, further 
comprising: 

an authentication drcuit for autiienticating tfie 
program information for tiie second block 
chain. 

28. The apparatus of claim 27, wherein said autiienti- 
cation circuit is conditionally responsive to address 
information to allow a dear mode for tine program 
information for the second block chain. 

29. The apparatus of one of claims 24 to 28, furtiier 
comprising: 

a re-sequencing circuit for randomly re-order- 
ing the program information for the second 
block chain. 

30. The apparatus of one of claims 24 to 29, further 
comprising: 

a length determination circuit for randomly var- 
ying the length of units of tiie program informa- 
tion for the second block chain. 

31. The apparatus of one of clain^ 24 to 30, furtiier 
comprising: 

a dummy-data insertion circuit for adding 
dummy-data to ttie program information for tiie 
second block chain. 

32. The apparatus of one of the preceding claims, 
wherein a plurality of chains of program information 
are communicated from the external storage device 
to said secure circuit in a substantially randomly 
varying sequence. 

33. An apparatus for communicating prograrn informa- 
tion, comprising: 
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a secure circuit for providing said program 
information; 

an external storage device which is adapted to 
store the program information external to said 
secure circuit; and 

a first communication paih which is adapted to 
communicate a group of blocks of said program 
information from said secure circuit to tiie 
external storage device in a first block chain. 

34. The apparatus of daim 33, wherein: 

said program information comprises authenti* 
cation data; and 

said secure circuit comprises an authentication 
circuit for providing said authentication data 

35. The apparatus of daim 34, wherein; 

said block chain is a simple block chain such 
that said group of blocks in said first block chain 
are processed substantially in parallel by said 
authentication circuit to provide said authenti- 
cation data. 

36. The apparatus of daim 34 or 35, wherein: 

said authentication drcuit hashes at least part 
of the program information to provide said 
autiientication data. 

37. The apparatus of one of claims 33 to 36, further 
comprising: 

address generating means for providing 
addressing information to the external storage 
device for communicating said blocks of pro- 
gram information from said secure circuit to the 
external storage device in a desired sequence. 

38. The apparatus of oneof claims 33 to 37, wherein: 

said blocks of program information are stored 
in the external storage device in saambled 
storage locations. 

39. The apparatus of one of claims 33 to 38, wherein: 

units of said program information witii substan- 
tially randomly varying lengths are communi- 
cated from said secure drcuit to the external 
storage device. 

40. The apparatus of one of daims 33 to 39. wherein a 
plurality of chains of program information are com- 
municated from said secure drcuit to tiie external 
storage device in a substantially randomly varying 
sequence. 
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41. The apparatus of one of claims 33 to 40, furtHer 
comprising; 

means for providing at least one of (a) substan- 
tially random block-wise re-ordering of said first 
block chain, and (b) substantially random re- 
ordering of a block of said first blodk chain to 
communicate a re-ordered chain from said 
secure circuit to the external storage device. 

42. The apparatus of one of daims 33 to 41 , wherein: 

units of said program information are communi- 
cated from said secure circuit to the external 
storage device using substantially randomly 
varying sequences. 

43. The apparatus of one of claims 33 to 42. wherein: 

units of said program information are communi- 
cated from said secure circuit to the external 
storage device using substantially randomly 
varying lengtiis. 



25 44. The apparatus of one of claims 33 to 43, wherein: 

said program information comprises dummy 
data which was not processed by tiie CPU. 
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45. The apparatus of one of daims 33 to 44, wherein 
said program information is provided in block 
chains. 



46. The apparatus of one of claims 33 to 45, wherein: 

said secure circuit comprises an encryption cir- 
cuit for encrypting said program information; 
and said first communication patii is adapted to 
communicate the encrypted program informa- 
tion from tiie encryption circuit to tiie external 
storage device. 

47. The apparatus of claim 46, wherein: 

said block chain is a cipher block chain. 

48. The apparatus of one of claims 33 to 47, further 
comprising: 

a communication path which is adapted to 
communicate a group of blocks of program 
information from said external storage device 
to said secure circuit in a second block chain. 

49. The apparatus of claim 48. wherein tiie program 
Information stored in said external storage device is 
encrypted, said secure circuit further comprising: 
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a decryption circuit for deaypting the 
enaypted program information in the second 
block chain. 

50. An apparatus for processing encrypted program s 
information, comprising: 

a secure circuit including at least one of 
encryption and decryption circuits, a central 
processing unit (CPU), and at least one block io 
buffer for stonng at least one block of program 
information; 

an external storage device which is adapted to 
store the program information external to said 
secure circuit; is 
a first communication path which is adapted to 
communicate a group of blocks of said program 
information between said external storage 
device and said at least one block buffer in a 
first cipher block chain; 20 
said at least one of said encryption and decryp- 
tion circuits being responsive to said at least 
one block buffer for respectively encrypting or 
deaypting said program information; and 
a second communication path which is 25 
adapted to communicate the program informa- 
tion between said at least one of decryption 
and encryption circuits and said CPU. 



30 



35 



40 



45 



50 



55 



EP0 908 810 A2 




EP 0 908 810 A2 



CM 

CD 




9 



EP 0908 810 A2 




CO 



o CO 




O CQ 



o <9tn 



EP0 908 810A2 



CLEAR 
TEXT- 
BLOCK 
A. 



CLEAR 
TEXT- 
BLOCK 
A, 



CLEAR 
TEXT- 
BLOCK 



CLEAR 
TEXT- 
BLOCK 

An 



403 



AUTHENTICATION 



^400 

: (. 

ENCRYPTION 

UNIT KEY ® HIGH ADDRESS 
® DK1 ® LOW ADDRESS 



i 



ENCRYPT 



-402 



ENCRYPT 



D,, rv. 



'404 




UNIT KEY e HIGH ADDRESS 
© D^2 ® LOW ADDRESS 



ENCRYPT 
D„ 





ENCRYPT 

D, 




CIPHER 
^ TEXT 
BLOCK 



CIPHER 

TEXT 
^BLOCK 
B, 



-K2 APPLIED 
TO AUTHEN- 
TICATION 
BITS ONLY 



'CIPHER 

TEXT 
(AUTHEN- 
TICATION) 
BITS 

B: 



CIPHER 
TEXT 
BLOCK 



CIPHER 
►.TEXT 
BLOCK 
B. 



"0" OR OTHER 
VALUE KNOWN BY 
HARDWARE 



FIG. 4 



EP 0 908 810 A2 



CIPHER 
TEXT - 
BLOCK 



CIPHER 
TEXT 
BLOCK- 
B, 



Dk, APPLIED 
TO AUTHEN~ 
TICATION 
BITS ONLY 



CIPHERN 
TEXT 
(AUTHEN- 
TICATION) 
BITS 



B 



CIPHER 
TEXT 
BLOCK 



CIPHER 
TEXT . 
BLOCK 



500 

t 



503 



DECRYPTION 

UNIT KEY ® HIGH ADDRESS 
® DK1 ® LOW ADDRESS 



, /- 



i 



•502 



DECRYPT 



DECRYPT 



504 




UNIT KEY © HIGH ADDRESS^ 
® 0^2 SLOW ADDRESS 

^ 1-506 



IN 



DECRYPT 
D„ 



\r508 



DECRYPT 



^510 



AUTHENTICATION 



HASH 



CLEAR 
>TEXT 
BLOCK 
A. 



CLEAR 
>TEXT 
BLOCK 
A, 



CLEAR 
► TEXT 
BLOCK 

^N-l 



CLEAR 
► TEXT 
BLOCK 
A. 



512 



FIG. 5 




514 



IF HASH = 
AUTHENTICATION 
THEN -0", ELSE "I*: 
"1"IS ALARM STATE. 



EP 0 908 810 A2 



D 

a. 
O 



n 



z 

Oo: 

D o 
CO 
I- UJ 
CO o 

z 



-i Ui o 

<a K 
o o o 

UJ o U 



T 



5 



€0 
UJ 

UJ 

a: 



a: 3 
< o 



J < 

-J z 

5 o 



3^ 



CO O 

CO H 
UJ < 

£ d: 

Q UJ 
O Z 
< UJ 

O 



T 











m 












s o 
















<- 














9 2 






O Ui 












< 











CO 

> 

UJ 



o . 

== Ui 

o 



< 



Ui ^ 
X 

< 



CO UJ 
CO -J 
Ui CQ 

9 < 
Q DC 

< a 

CO 



o 
z 

O Ui 2 

Ui 

OH 



11 



Ui 
X 

o 
< 



o — 

< H < g ^ 



2: it 2 >; 2 3Sl 



is 

O 00 



cr 

UJ 

u. 
u. 

CD 



I 



• • • 




OL oL t 
2 >- 2 >- Z ID 

X 2 H m I— it 
OS O O 



5og 
< o u! 
X -J u. 
o CO 3 



3=i 



2 o S 



1 



CM ^ 

^ ^ or 
5 o fi 
< O u. 



1 



CM 



5o| 

< O uI 
X -J u- 



n 



> 

o 
s 

UJ 



CO 



